Profiling the Recently Seized Samourai Cryptocurrency Mixer Service – An Analysis

I’ve decided to take a closer look at the recently seized domain portfolio owned by the infamous Samourai Cryptocurrency Mixer where the actual infrastructure consists of several primary domains and several secondary domains including a vast social media presence including an actual Android application for the cryptocurrency mixing service.

Sample description of the service:

Samourai Wallet is the most feature rich and advanced bitcoin wallet available on Android today. It has been created from the ground up by privacy activists to be extremely portable, highly secure, and lead the pack in protecting the privacy of bitcoin users.

– Full Segwit Support for the most efficient transactions and lowest miner fees

– You control your private keys on your device, they are never communicated with any server

– Best in class dynamic miner fee estimation and custom fee settings

– STONEWALL for increasing the privacy of your transactions

– Ricochet spend for mitigation against address clustering attacks

– Send and receive Stealth Payments directly into your wallet with PayNym (BIP47)

– Deterministic sorting of input/outputs to prevent the wallet from leaving a discernible block chain fingerprint (BIP69)

– Bump a stuck transaction with full Replace By Fee (RBF) and Child Pays for Parent (CPFP) support

– Route outgoing transactions via your own trusted node

– No addresses are reused to help manage metadata leakage

– Standard import/export functionality. Compatible with any other BIP44/BIP49/BIP84 wallet.

– Stealth mode hides the wallet on the device. Dial a secret code to access your wallet.

– Enable remote SMS commands to regain access to your funds if you lose your phone

– Block Explorer support for all popular services

– Passphrase protection by default (BIP39)

– Fully encrypted client side and offline

– Connect via your preferred VPN

– Connect via Tor (Socks5 proxy)


Primary domains involved in the campaign include:

hxxp://samourai.io

hxxp://samouraiwallet.com

hxxp://samourai.support

Sample responding IPs:

68[.]65[.]123[.]241

198[.]27[.]104[.]163

37[.]143[.]131[.]158

162[.]255[.]119[.]8

82[.]221[.]130[.]110

37[.]143[.]131[.]230

52[.]203[.]48[.]25

162[.]255[.]119[.]42

136[.]243[.]224[.]53

193[.]29[.]187[.]225

82[.]221[.]131[.]139

82[.]221[.]139[.]204

172[.]67[.]194[.]72

206[.]253[.]90[.]229

104[.]21[.]68[.]107

193[.]29[.]187[.]21

Sample responding IPs:

68[.]65[.]123[.]241

198[.]27[.]104[.]163

37[.]143[.]131[.]158

162[.]255[.]119[.]8

82[.]221[.]130[.]110

37[.]143[.]131[.]230

52[.]203[.]48[.]25

162[.]255[.]119[.]42

136[.]243[.]224[.]53

193[.]29[.]187[.]225

82[.]221[.]131[.]139

82[.]221[.]139[.]204

172[.]67[.]194[.]72

206[.]253[.]90[.]229

104[.]21[.]68[.]107

193[.]29[.]187[.]21

Related responding IPs:

37[.]143[.]131[.]158

160[.]19[.]51[.]112

82[.]221[.]131[.]27

185[.]165[.]170[.]172

99[.]83[.]154[.]118

185[.]165[.]170[.]173

82[.]221[.]131[.]139

188[.]214[.]30[.]147

192[.]95[.]12[.]14

162[.]255[.]119[.]161

37[.]143[.]131[.]195

185[.]165[.]170[.]143

Related domains known to have been involved in the campaign include:

hxxp://oxtresearch.com

hxxp://nextblock.is

hxxp://samourai.email

Sample social media accounts:

hxxp://twitter.com/SamouraiWallet

Android application URL:

hxxp://play.google.com/store/apps/details?id=com.samourai.wallet&hl=en_US

hxxp://www.youtube.com/c/Samouraiwallet

hxxp://www.facebook.com/samouraiwallet

hxxp://github.com/Samourai-Wallet

The group behind the cryptocurrency mixing service also maintains several other domains:

hxxp://paynym.is – 193.29.187.225; 192.95.12.14; 188.214.30.147

hxxp://oxt.me

hxxp://sovereign.ly

hxxp://mule.tools

Sample known responding IPs:

13[.]56[.]33[.]8

54[.]243[.]255[.]92

54[.]225[.]158[.]198

50[.]19[.]120[.]203

199[.]73[.]55[.]35

188[.]114[.]96[.]6

23[.]217[.]138[.]108

188[.]114[.]97[.]3

198[.]54[.]117[.]218

188[.]114[.]96[.]0

198[.]54[.]117[.]217

104[.]21[.]65[.]40

192[.]64[.]119[.]152

188[.]114[.]97[.]29

23[.]202[.]231[.]167

I’ll continue monitoring the campaign and will post updates as soon as new developments take place.

Leave a Reply

Your email address will not be published. Required fields are marked *

Unit-123.org E-shop Owner Information

Who is Dancho Danchev?

Unit-123.org

Focused on delivering daily batches of personally-produced never-ending supply of high-quality and never-published and released before classified and sensitive Intelligence Deliverables.

Latest Products