It started with spam. The kind that really gets under your skin.
As a Discord server admin, you get used to dealing with trolls and bots. But this was different. For weeks, my communities were getting hit by a new, relentless type of scam. It wasn't just a lazy phishing link. It was a whole performance.
A compromised, purchased, or newly created account would join a server. It would post a single message containing nothing but 3-4 image links, and then disappear. The images were always the same formula: a carefully faked screenshot of a tweet from a big name like MrBeast or Elon Musk, announcing a new crypto casino with a massive free bonus.
At first, I did what any admin would do. Ban the account, delete the message, move on. But they kept coming back. Different accounts, same scam, same 3-4 images. It was a fire I couldn't put out, and it started to piss me off. I got tired of playing defense. I decided to figure out what was actually going on.
I finally clicked on one of the links. It took me to a slick, well-designed gambling website. Let's call it
spinora[.]cc, one of the last ones I investigated. The branding was clean, the games looked polished, the animations were smooth. It almost felt legitimate, which is what made it so dangerous.My curiosity took over. I decided to go through their entire user funnel, documenting everything like a real user would.
- I registered an account using a dummy email from 1Password. Standard procedure.
- I entered the promo code from the spam ad, something like "GIFT" or "BONUS". Instantly, my account balance shot up to $2,500. A completely fake number, of course, but it's designed to give you that quick dopamine hit.
- I "played" a few games, "won" a bit more, and then tried to withdraw the funds. The transaction was immediately rejected. A popup claimed my account wasn't verified. Predictable.
- To get "verified," the site demanded a cryptocurrency deposit. Usually from $60 to $100+, sent to a specific Bitcoin address.
And there it was. The whole scam, laid bare. A classic advance-fee fraud. The $2,500 bonus is just bait. The "verification deposit" is the hook. You send them real crypto, and you never see it, or your fake winnings, again.
Just knowing how the scam worked wasn't enough for me. I wanted to know how they were running it. So I opened up DevTools and started digging into the network requests.
Most of it was standard Next.js stuff, proxied through Cloudflare. But one API call caught my eye. When you opened the "Live Support" chat widget, it sent a request to a strange endpoint.
mammoth. That wasn't a standard third-party chat service like Tidio or LiveChat, which most sites would use. It was their own self-hosted API. I started checking the other scam sites as they popped up in my servers. They all had it. Every single one.This was the fingerprint. The unique technical signature that connected all these seemingly separate websites. It was the thread I needed to pull. I codenamed the entire operation the "Mammoth Scam."
I wasn't the only one seeing this. In a Discord server for other community owners, a thread popped up about this exact issue. People were sharing strategies. It turns out the "3-4 image links" pattern was so consistent that admins had crowdsourced a regex to automatically block the messages.
regex
This confirmed my suspicion. The scammers were likely scraping public server directories like Disboard or Top.gg to get a huge list of targets, then hitting them with an automated, large scale spam campaign. The fact that server admins had resorted to building custom regex filters showed just how big this problem had become.
My next goal was to collect the Bitcoin wallet addresses they were using. My theory was that they were reusing them. I had a list of a few active domains, so I started the methodical process of registering on each one to get to the deposit page.
Simple tasks often uncover complicated truths. This was one of those times.
I registered on one site successfully. Then, with my VPN still on the same IP, I hopped over to a different scam domain to register again. The site blocked me. The API didn't just give a generic error. It gave me this:
json
This was huge. The error came from a completely separate domain, but it knew I had just registered somewhere else. This meant they weren't separate sites at all. They were all connected to a single, central system that was tracking my IP address across their entire network.
I had another piece of proof. My password manager, 1Password, is set up to suggest my dummy email. When I went to a new scam domain I had never visited before and clicked on the email field, 1Password autofilled my details. The site immediately showed an error: "An account with this email already exists."
That was the final confirmation.
All the scam sites share a single, unified user database.
This discovery changed everything. This wasn't a bunch of scammers using the same website template. This was one entity running a sophisticated, centrally-managed "scam-as-a-service" platform.
It explained everything:
- The live support was so consistent because it was a central pool of agents handling requests from all domains. They probably had a dashboard showing which site the user was on.
- The agents refusing to give me a BTC address in chat wasn't a quirk. It was a strict, network wide security policy to force users through the automated deposit funnel and minimize data collection by researchers like me.
- They could deploy new sites so quickly because they were just pointing a new domain to their existing platform.
I knew this was bigger than anything I could handle alone. This wasn't just a scam, but an entire infrastructure. I probably uncovered a massive, organized criminal enterprise. I compiled all my findings, every screenshot, every technical detail, and every discovery into a formal report.
My research was eventually shared with cybersecurity journalist Brian Krebs. He used his own resources to validate my findings and uncovered the true scale of the operation. My "fingerprint" of the
/api/mammoth/chat endpoint was found on over 1,200 recently registered domains.The full investigation was later covered in detail on his website.
This investigation was also covered at: Krebs on Security: Scammers Unleash Flood of Slick Online Gaming Sites
What started as a simple annoyance with spam turned into a deep dive into an entire infrastructure. It proved that sometimes, the best way to protect your community isn't to just build higher walls.
It's to figure out who's throwing rocks, and go take their rocks away.