Now some new PayPal phishing content is on https://papyi.com/ , with a web chat widget and a semi-active scammer on the other end.
A new one:
links to https://phantoms.me/ .
All the domains that resolve to 46.173.214.153 look suspicious to me.
Recently, www.papyi.com was updated with a new link to a new phishing payload domain:
fake login page https://desk.pyayi.com/
error page logr
tawk.to widget https://tawk.to/chat/68150b4f1eb5961913b9c10e/1iq938chg (seems unattended today, Saturday.)
The domain registration is allegedly in Uttarakhand.
redirects to a new fake-paypal domain: logr
same tawk.to chat account as before: https://tawk.to/chat/68150b4f1eb5961913b9c10e/1iq938chg
New fake PayPal domain: My PayPal Account Login links to https://abcw.pyayi.com/ , with error page logr . Same Tawk.to account as before.
New subdomain: logr
Sam from Bitstamp (and probably each and every crypto-related thing) can be reached at 641-268-2923 for the resolvement of any login issues on your side.
New tawk.to web chat account: https://tawk.to/chat/6835f6b04a34301911ec72d2/1is9cn93p .
Here’s another one I found recently:
links to
From the RDAP info:
Handle: THIN-197B1E1B58C
Roles:
- registrant
Events:
registration: 6/27/2025, 7:54:06 AM
last changed: 6/27/2025, 7:54:08 AM
last update of RDAP database: 7/5/2025, 8:50:41 AM
Contact:
Name: Mohiya NA
Org: Mohiya
Address:
J 787KOTA
New Delhi
Delhi
110062
INTel: +91.8677876787 (voice)
Email: [[email protected]](mailto: [email protected])
An article from last September analyzing this trend, focusing on their Webflow feeder pages. Attackers Target Crypto Wallets Using Codeless Webflow Phishing Pages - Netskope .
links to https://lzrstgg67sdfsdijiug.zohair642.workers.dev/
where “Dorothy Allison” is active in the tawk.to web chat
https://tawk.to/chat/67fd3eac74d11e190f8bd5be/1ioqjpl30
Another new one: Download Bitfinity Extension | Official WebSite® links to https://bitfinext.info/ , which asks for your private key here: Bitfinity Wallet
Here’s a new one: Crypto.com login - Official Website links to the redirector site Sign In . This redirects to Sign In , with the usual error page Error! . Associated tawk.to web chat account https://tawk.to/chat/689347eab0606b192648485c/1j1vl1s12 .
A new site with an actual phone number this time!
links to the redirector logr, which redirects to
https://itxz.taxjhy.com/ (archived copy at logr – logs )
The associated tawk.to web chat https://tawk.to/chat/6774d6c649e2fd8dfe0145c5/1igg6dumf got me in touch with Robert from PayPal at 802-221-3539. Robert’s favorite color is black but he claims that there is no PayPal Song and refuses to sing it for the verification purposes.
crypcomlg[.]com taken down 
And now there’s https://crypcomlg.info/err .
https://sites.google.com/cryptissue.com/cryptologin-issue/home uses https://rebrand.ly/cryppt to link to Sign In .
Associated tawk.to account: https://tawk.to/chat/68e918c20ae7ad1955a6d099/1j778heak
All seem taken down already!
New: https://cbsnerfs.pages.dev/support
Linked from Coinbase.com: Sign-in | Coinbase Login (Official Site)
associated tawk.to chat widget: https://tawk.to/chat/69556a5bfb875a197d2be084/1jdqqeu3g
A new one: Capital One Login – Manage Your Accounts & Cards Anytime links to Capital One Sign In: Log in to access your account(s) which redirects to Capital One Login .
Error page Error!
associated tawk.to chat https://tawk.to/chat/69185f08f0cd89195c96ca67/1ja3j6epd?pop=1
I got a call from Shane at (fake) Capital One Bank, 612-495-7861. His favorite color is red. He says that there is no Capital One Bank Song.
RDAP info for the domain is not fully redacted! capitoe.info - bgp.he.net
Moved to a new domain: Error!
New tawk.to widget id: https://tawk.to/chat/698a2a7bc060e01c37489666/1jh1rbtfo?pop=1
The DNS registration info was not redacted!! capitrs.info - bgp.he.net
Name: Jack Morris
Address:
New Jersey
New Jersey
08854Email: [[email protected]](mailto: [email protected])
Tel: +1.2512924943 (voice)
A new Jack Morris of New Jersey domain:
Associated tawk.to account: https://tawk.to/chat/69d00f5285998d1c39d5e968/1jlabnn48