So, you’re scrolling through the dark corners of the internet … maybe looking for the meaning of life, maybe looking for a way to pay off that credit card… and you stumble upon a Pastebin promising the Holy Grail: The Node 1.9 Arbitrage Exploit.

The thesis is simple: Swapzone.io supposedly has a “leaky” legacy node for ChangeNOW that miscalculates exchange rates, giving you a cool 37% profit on every swap.

All you have to do is manually type javascript: into your URL bar and paste a "node protocol update" script.

If you work in cybersecurity this is a win-win situation:

• Bull Case: It’s real = Get rich
• Bear Case: It’s fake = have fun analyzing what’s going on

(P.S it’s almost never the first one)

Naturally, I decided to roll the dice…

The Stage 1 Loader: The Trojan Horse

The first script you see is a “Stage 1 Loader.” It’s tiny, unassuming, and uses some cheeky string replacement to hide its true destination. It pretends to fetch a script from swapzone.io, but it actually re-routes to lesma[.]eu.

Once it downloads the real payload, it finds a legitimate Next.js script on the Swapzone page, deletes it, and replaces it with the attacker’s (likely) malicious code.

The Stage 2 Payload: A Masterclass in Obfuscation

Next item on the list is checking what is this script is doing, there’s still hope for a bull case…

I used curl to pull the raw Stage 2 file from the attacker's server. It was a 152KB wall of hex-encoded gibberish.

I first tried using an online deobfuscator, but it didn’t do much. It managed to “prettify” the formatting, but the logic remained a tangled mess of math-heavy noise and encoded strings.

At this point we roll up our sleeves and make sense of the code to identify the key functions. I eventually isolated the Shuffler (the engine that rotates the data array) and the Resolver (the decryption function)

The script uses a shuffler block, a mathematical loop that rotates the array until a specific magic number is reached. If you change so much as a comma, the math fails, and the script goes into an infinite loop of death.

Cracking the Code: The “XOR” Reveal

Every command in this script is hidden behind a Resolver Function. To find out what the script was actually doing, I had to find the XOR Key.

Analyzing the logic and renaming some key variables, deep in the logic, I found this beautiful disaster of a math equation:

Running this through console, the result was… 17. All that math just to get the number 17.

Lets test out magic 17 if it’s able to decrypt one of the values in the array:

And it works!

The code is heavily obfuscated, however decrypting this array which is initialized in the beginning of the script could give us some useful intel.

To do this, lets write a python script to automate decryption on the entire array.

Once you XOR the entire array with the key of 17, you’re left with UI Redressing and Drainer kit.

At this point, deep in the bear territory, we realize we’re not getting rich today

Here is the “37% Profit” breakdown:

1. The script injects fake messages like [SUCCESS] Secure node handshake complete. It then manually edits the "Receive" amount on the website to show you that 37% bonus. It’s all CSS and HTML smoke and mirrors.
2. It generates a new QR code pointing directly to the attacker.
3. When you click “Copy Address,” the script uses navigator.clipboard.writeText to replace your address with one of the attacker's Bitcoin wallets.

Following the Money: The Blockchain Footprint

The prefix bc1 caught my eye. This is Native SegWit (Bech32) Bitcoin address format. Decryption revealed a rotating list of collection addresses used by the scammers.

Most of these addresses showed active inflow and outflow patterns, suggesting that despite the absurdity of the “Node 1.9” pitch, people are still taking the bait on the “37% profit” lure. Our investigation revealed a classic Peeling Chain strategy: funds are moved through a series of rapid micro-transactions where small amounts are “peeled” off to exchanges or mixers while the remaining bulk is tumbled into fresh addresses to evade detection.

The Moral of the Story

So, what have we learned today? Mostly that if someone on Pastebin tells you about a “leaky legacy node” and offers you a guaranteed 37% profit, the only thing actually leaking is your life savings into a scammer’s pocket.

Next time someone tells you to paste unverified JavaScript into your URL bar for “financial gains” — run…

Stay skeptical, stay off the console, and keep your Crypto where it belongs — somewhere the XOR of 17 can’t find it.

IOCs

lesma[.]eu

The Hall of Shame Bitcoin Wallets

bc1qguglezcappm053z8f3kz7vmjc5qkv76xdsgkwz
bc1q4wxcjjuasryzt2gl8lsy6zg84j0wl4cxrwp5lm
bc1quw53yj9hwlk3x3623kml8r0v6ln8wjsldkvju3
bc1qpclvkjr2tdw4yu5fu0fpymuwkjsfhe3zwqp258
bc1qegwusu339s5n5yljxwlqlpapma6rl4rpf6ar49
bc1qf8xmqvx099575w749jqxs6dfd82wzt03j6dnm4
bc1qqs3da2sz70cap7dwqqdxr5cqx4y9s4902r5y7n
bc1qgwx7uhqujtkrdnpd29xpyllvjsa6ga4k93sal5
bc1q9qxkkya9eecuh5j62fr38xv768phr67f65r0vd
bc1qw2dq45fc66nn0r48mnvx7framdvscty6kwn0fv
bc1qh2qzed8574qu0jmys342k9rt60jl0cfvvyfdug
bc1q3rc48ye4g5f3p0n3rwymzl6xzeqj06253pvw9s
bc1q24u8xf94g36540lkt6tsakyzt8h3egv7sn8n2e
bc1qehm6t0cdr5t6cuagdufw7zdvg9yrs2xgeraz2v
bc1qpqy59dxeqljsy6w5gd0tstp3auvaarhwe6xdxv
bc1qrvg2kedfsa9ptk274hgua6ww2u70gevldhh30v
bc1qut82ugurtaf3qd8nzysl2mvt8y443s83qu2hfk
bc1q9dspmegh522uut8qem4nnvgvxcg3t5uh5se2yw
bc1qxcl6c755xfcnjw9mkh97vt99swpqh4dqj43lan
bc1qn28cgwvgfum7n7h7shtfmzhvex5f6cnkp50m7e
bc1qqdgvy8e0ue4gez52jxhkhkf0sf2f9su6q3y5jm