0/100

critical Risk

compilyn.net

https://compilyn.net/

104.21.12.197 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

46 days

HTTP

200 · 18.7s

SSL

Valid· E8, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "CODE COMPILER"

Save

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

compilyn.net

Vendors

23/30

Status

partial

✓ phishreport✓ avast✓ yandex✓ polyswarm✓ kaspersky⟳ isitphish✓ sophos✓ eset✓ avg✓ bitdefender✓ microsoft✓ brightcloud⟳ openphish⟳ apple⟳ apwg⟳ cisa⟳ emsisoft✓ netcraft✓ phishtank✓ drweb✗ norton✓ urlquery✓ spamhaus✓ urlscan✓ virustotal✓ urlabuse✓ threatyeti✓ google✓ mcafee✓ fortiguard

KB/IOK Matches (1)May 26, 2026, 07:51 AM UTC

remix.live-clone-kit

remix-live-clone-kit

high

Directives: skipAi, skipUnblocker, skipMobileVariant

compilyn.net

Payment Fraud

Cryptocurrency · 6/3/2026

Summary

The page presents a CODE COMPILER title on compilyn.net with SPA-like behavior inferred from many JS assets and API endpoints. The page appears to be a code editor environment rather than a classic credential phishing form, and there is no explicit impersonation of a well-known brand in the visible UI. However, several tracking endpoints and wallet-related scripts are loaded, indicating analytics and potential blockchain wallet interactions. The evidence does not conclusively show credential harvesting or impersonation of a third-party brand, but the presence of tracking/config endpoints and wallet integration warrants cautious monitoring for abuse potential. Analyst context noted: This is a fake Remix/Solidity IDE phishing kit. The page imitates a browser-based smart contract compiler and deploy tool, likely targeting Web3 users by encouraging wallet interaction or malicious contract deployment r...

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸Content changed across stages: visible text changed materially.

▸POST targets observed during capture: https://www.google.com/ccm/collect?rcb=16&frm=0&auid=756094110.1779781883&dt=CODE%20COMPILER&en=page_view&dl=https%3A%2F%2Fcompilyn.net%2F&scrsrc=www.googletagmanager.com&rnd=38422880.1779781883&navt=n&npa=0&gtm=45be65k1v9251919071za200zd9251919071xec&gcd=13l3l3l3l1l1&dma=0&tag_exp=0~115938466~115938468~116701381~118012007~118689381&apve=1&apvf=f&apvc=1&tids=AW-17956280697&tid=AW-17956280697&tft=1779781882651&tfd=1525, https://www.google.com/rmkt/collect/17956280697/?random=1779781882632&cv=11&fst=1779781882632&fmt=8&bg=ffffff&guid=ON&async=1&en=gtag.config&gtm=45be65k1v9251919071za200zd9251919071xec&gcd=13l3l3l3l1l1&dma=0&tag_exp=0~115938466~115938468~116701381~118012007~118689381&u_w=1280&u_h=720&url=https%3A%2F%2Fcompilyn.net%2F&rcb=16&frm=0&tiba=CODE%20COMPILER&hn=www.googleadservices.com&npa=0&pscdl=noapi&auid=756094110.1779781883&uaa=x86&uab=64&uafvl=Not%253AA-Brand%3B99.0.0.0%7CHeadlessChrome%3B145.0.7632.6%7CChromium%3B145.0.7632.6&uamb=0&uam=&uap=Windows&uapv=10.0&uaw=0&data=event%3Dgtag.config&gcp=5, https://compilyn.net/api/trackWallets.

▸Distinctive asset clues: javascript.min.js, codemirror.min.js, codemirror.min.css, material-darker.min.css, 17956280697.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: Yes

visible text changed materially

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 54

Hosts: 7

Domains: 7

Suspicious Endpoints

hxxps://compilyn[.]net/api/tracking-config

hxxps://compilyn[.]net/api/trackWallets

hxxps://compilyn[.]net/api/markHuman

Attack Techniques (4)

Web3/wallet interaction lureAnalyst-identified phishing kitSPA-like behavior with credential capture risk due to dynamically rendered forms (no static login fields in HTML but multiple JS bundles loaded).External analytics / ad-related requests and wallet-connect integrations suggesting potential data exfiltration paths via tracking endpoints.

Indicators of Compromise (3)

▸Analyst context identifies wallet/Web3 targeting

▸No static login form in HTML; SPA likely renders forms via JavaScript (credential capture risk).

▸Screenshots show a UI titled CODE COMPILER with CodeMirror editor rather than a known brand, suggesting a development tool rather than impersonation of a payment or login-flow site.

Risk AssessmentUsed in abuse reports

The domain compilyn.net is newly registered and resolves behind Cloudflare. The page loads numerous third-party scripts (Google Analytics/Ads, Cloudflare beacon, CodeMirror, Web3, WalletConnect) and exposes endpoints for tracking and wallet-related actions. There is no static login form observed in the HTML, but the SPA architecture means credential capture could occur via dynamically injected forms. While there is no definitive impersonation of a well-known brand, the combination of wallet integration and tracking suggests potential data exposure risks if misused. Recommend monitoring and further analysis of network requests and data handling in the SPA to rule out credential or sensitive data capture. Analyst context was provided and corroborated during this assessment (This is a fake Remix/Solidity IDE phishing kit. The page imitates a browser-based smart contract compiler and deploy tool, likely targeting Web3 users by encouraging wallet interaction or malicious contract deployment r...). Because analyst context identifies an active phishing or fraud kit, domain suspension is recommended rather than passive monitoring.

Recommended Action

Suspend Domain

Cross-Reference9

URL Intelligence