solana.monstagon.com

https://solana.monstagon.com/wrsj1?utm_campaign=AU01_REG_SHR_AGE_23_040825%3D01&cid=1247122060645865&fbid=1805166066772149&bid=VV&utm_medium=paid&utm_source=fb&utm_id=120244721261610333&utm_content=120244721261630333&utm_term=120244721261670333

104.21.77.40 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

290 days

HTTP

200 · 54.5s

SSL

Valid· WE1, Google Trust Services, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "mininghorizon"

Save

Registered-domain escalation

Submit monstagon.com as the primary IOC, enriched with evidence from hostile subdomains like solana.monstagon.com.

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

mininghorizon

Credential Phishing

cryptocurrency | finance | technology · 4/5/2026

Summary

The page at solana.monstagon.com presents a mininghorizon branding, including the page title mininghorizon and visual UI resembling a crypto/mining service. The domain contains the word 'solana', suggesting impersonation of a known crypto brand, while the SSL cert is issued to monstagon.com and the domain is under Cloudflare, but the page title and shown branding indicate mininghorizon rather than the legitimate Solana site. This indicates a credential collection attempt through a SPA that renders forms via JavaScript, with multiple external script bundles loaded to replicate a legitimate service interface.

Attack Techniques (6)

Typosquat/brand impersonation: domain solana.monstagon.com contains 'solana' signaling impersonation of a crypto serviceCloned SPA UI: static HTML has no forms; JavaScript bundles likely render credential capture UIBrand asset loading: external scripts and assets loaded from the subdomain to mimic legitimate brandingHigh script count on SPA: 63 scripts indicating a dynamic form and data capture flowWAF/CDN presence: Cloudflare hosting with a scanner-detection-evading setup (scans show WAF involvement and Cloudflare-backed domain)Brand confusion via page title and visual branding: mininghorizon branding present on a domain impersonating a crypto service

Indicators of Compromise (7)

▸DOMAIN IOC: solana.monstagon.com

▸URL path contains no explicit brand name beyond the root; query parameters show marketing campaign data

▸NETWORK IOCs: numerous external JS bundles from solana.monstagon.com (e.g., 714fbba8.js, eeb5bb89.js, 5bb2bf28.js, etc.)

▸HTML indicator: page title 'mininghorizon' matches branding in screenshot and content, not the domain

▸SSL certificate subject/issuer: CN monstallon? (actual subject shown: monstagon.com) indicating mismatch between domain and cert branding

▸Domain age: 290 days, registered via NameCheap; not excessively new but suspicious given impersonation signals

▸Blocker/anti-scan signals present: activity hints of scanner-block patterns in analysis data

Risk AssessmentUsed in abuse reports

The observed page impersonates Mining Horizon branding on a domain that includes the Solana name, solana.monstagon.com, creating a strong impersonation signal. The static HTML contains no forms, but a large set of external JavaScript assets suggests a SPA that renders credential capture interfaces at runtime, indicating phishing intent to harvest user data. The page title and visible branding align with Mining Horizon, while the domain hints at Solana impersonation, increasing risk of credential theft tied to a crypto service. The SSL cert is tied to monstagon.com, not the impersonated brand, and the site is hosted behind Cloudflare with a questionable certificate scope, raising suspicion of domain spoofing and rapid lifecycle changes. This combination of brand mismatch, SPA-based credential capture potential, multiple external assets, and WAF-related characteristics constitutes a high-risk credential-phishing operation that demands immediate containment.

Recommended Action

Suspend Domain

Cross-Reference8

URL Intelligence