Back to ScamIntelLogs

BitXLucky

Scam Casino & Sportsbook Worker Panel

Fake Casino Lowest Quality Steals From Workers
Victim-facing casino site (horwex.com)

What victims see: identical template across 59 domains

Title pattern: {BrandName}: Crypto Casino Games & Casino Slot Games - Crypto Gambling

urlscan hash: 52d8c3814a66882aeb937eaf0bffd819d7eacd69c955f34627a2753a645f4d76

59

Domains

~1000

Est. Accounts

8

Crypto Networks

3

Server IPs (Aeza)

Key Finding: Platform Steals Registrations From Workers

We created a worker account, added test domains, generated promo codes, and registered a victim account with a promo code on the worker's domain. The registration never appeared in the worker panel (Users: 0).

The platform silently steals victim registrations from its own workers. Workers (traffers) are the lowest link in the scam money chain — they get scammed by the very platform they promote. This is common in the scam ecosystem, but BitXLucky is especially brazen about it.

This is also the lowest quality product of all panels we've analyzed — typos everywhere in the UI: "saport", "Logi", "Postsuk", "Warkers", "Vager", "col-vo asset", "Автовериф KYC" mixed with English.

Panel Screenshots

Home — Worker Dashboard

Worker "actual-currency", Payout 70%. Income: $0.00, Call deposit: 0, Users: 0. Empty Traffic and Deposits charts. Search by mail or transaction hash. Note: Users count stays 0 even after registering a victim — registrations stolen by platform.

BitXLucky Panel Home - Worker Dashboard

Promo Codes — Creation & List

Promo code creation form: Custom/Global toggle, "The orders call-to-walk" (broken English), amount in USDT, "Vager" (wager), "Error in output" message. Table: Promocode, Currency, Amount, "Col-vo asset" (quantity — Russian transliteration), Amount of deposits, Error in output, Date.

BitXLucky Promo Codes Panel

API Documentation

API requires X-API-KEY header. Endpoints: Promo codes (POST custom/generate, GET/PATCH/DELETE by name, GET stats), Domains (POST create, PATCH by name), "Warkers" (POST create, PATCH update via /appeal/workers-ap/), Predictions (chicken_road game predict by difficulty/hash).

BitXLucky API Documentation

Settings — Basic Configuration

Commission on deposit: 1%, Commission on withdrawal: 1%, Minimum deposit: 100 USDT, Required deposit: 100 USDT. Error messages shown to victims when they try to withdraw: "Your withdrawal has been flagged as high-risk by our system. To proceed, please make a confirmation deposit with any cryptocurrency." Same message for KYC error ("KYC ошибка"). Auto-verify KYC in 30 seconds. "Presets of errors" section for custom scam messages.

BitXLucky Settings - Basic Configuration

Settings — Worker Account, Telegram, Live Support

Worker account trigger word (auto-verify if email contains the word). Example shown: [email protected]. "Postsuk in Telegram" (postback) — up to 5 taps, requires BotFather token, chat/channel ID via @JsonDumpBot. Live support settings: "Live saport online" toggle, greeting/welcome message toggle.

BitXLucky Settings - Worker Account & Telegram

Telegram Actors (Project Support)

SUPPORT @memorycrypto ID: 6938945548

Registered: December 2023 / March 2024

SUPPORT @abszv ID: 6684395748

Also: @netyvremeny, @imsot1r3d

Messages: 34,708 in 89 groups

Active: 2023-12-16 to 2026-01-31

Diversity: 87.72%

Replies: 27.76%, Media: 7.59%

Location: Voronezh (Воронеж №1 chat member)

Favorite group: Ебучий ADS чат 4.0

Top reply contacts

@bars_rrr (Mor9к ADS) — 898

@waveseII (WAVE SELL) — 290

@abszv (self) — 215

@proliv1 — 195

@neverzleep (Teddy) — 74

Notable groups

Ебучий Google ADS Medusa ADS | Теневой (2231) DEX_DEGENS (324) Switch (129) sad cat gamble Darknet News СИНДИКАТ НОВОСТИ Octo Browser Антидетект FORTUNA КАПИТАЛИСТ

Frequent words

моряк (200+) бурак внатуре швец веив логи покупаю льет

Psychotype Assessment

High aggression as compensation. Key pattern: "wants quick money, avoids responsibility, angry it's not working."

Unreliable in partnerships. Unstable in business. Loud but empty in conflict. Expendable in schemes — creates background noise of the scam ecosystem. Danger is not strategic but statistical.

Tech Stack (from source analysis)

Frontend

  • Next.js (React) + Turbopack
  • Sentry — release [email protected]
  • OpenReplay session recording
  • PostHog analytics
  • Facebook Pixel (dynamic)

Backend

  • NestJS (Node.js)
  • JWT HS256 auth
  • Zod validation
  • Cloudflare CDN
  • Russian + English mixed in UI and errors

Panel Sections (from sidebar)

Home Users Deposits Live saport (typo) Promo codes Logi (typo) Domains Payments API Sapport (typo) Settings

Scam Error Messages (shown to victims on withdrawal)

"Your withdrawal has been flagged as high-risk by our system. To proceed, please make a confirmation deposit with any cryptocurrency. The deposited amount will remain in your account and can be withdrawn at any time. We apologize for the inconvenience and appreciate your understanding as we work to keep our platform secure and reliable."

Same message used for both "Error in output" and "KYC ошибка" — the confirmation deposit is never withdrawable.

Infrastructure — 59 Domains, 3 IPs

All domains behind Cloudflare. Backend on Aeza (International Ltd, Saudi Arabia + Group LLC, Moscow). Identical title pattern: {BrandName}: Crypto Casino Games & Casino Slot Games - Crypto Gambling.

Based on worker ID #1005, estimated ~1000 total accounts (workers + victims combined) — extremely low for a panel-as-a-service. Support recruits workers as affiliates from crypto/ADS Telegram chats, but the theft model is blatant and obvious. Libraries appear not updated.

postfinance-user-auth.com — bank phishing domain (PostFinance, Swiss bank) running the same casino panel template, indicating platform used for phishing beyond fake casinos.

IPs (Backend)

77.110.103.90

Aeza International Ltd, Riyadh SA

176.46.152.13:3000

Bala Cynwyd, US

77.221.151.196

Aeza Group LLC, Moscow RU

All 59 Domains (from scan)

5x.world backwex.ru beastbest.top beastjackpot.net betbytes.net betzyra.com bitmax.bet bitxlucky.com bitxlucky.vip blazevortex.top blyze.digital bobxcas.cfd bonbeam.top casxwin.com ceeseex.buzz coineasy.site conterbox.store crazy-api.world deptop.com eloncasino.us fortuno.bet fyraze.com goldstake.site grokybet.com groxyzy.com helmibet.com horwex.com indocas.icu ixower.com kuxwin.com lexano.bet luckion.top luckyrolls.pro luckyroom.net luckyspin.rest marulabet.com megabetters.com metacasino.top moneyflow.bet mycasin.icu noxplay.fun omnirex.bet plurao.com postfinance-user-auth.com rexeu.com rollebit.com rutybet.com spinxbit.com stagedsteam.live stakeslots.pro stronan.cfd thundix.com trxdrop.asia vuxwin.com wentbet.com winbys.com xcasino.money zaffino.bet zeroxwin.com

Repository Contents

🔎
IOCs (JSON)
Full indicators of compromise
 📸
Panel Screenshots
5 screenshots of the admin panel
 💬
Support Messages (@abszv)
Messages and chat activity of support actor
 👥
Groups (@abszv)
89 groups where support actor is active
 🌐
Domain Scan (CSV)
59 domains + 3 IPs with full scan data

Collected by PhishDestroy | 2026-01-31