Picture this: You’re scrolling through Instagram when a message pops up. Someone claiming to be dying wants to leave you 7 million USDT. They even provide login credentials to prove it’s real. Thousands of users are receiving these messages right now, and some are falling for what has become one of the largest coordinated crypto scams we’ve investigated.
The scam operates through a network of over 60 fake cryptocurrency platforms, all following the same playbook. After digging through victim reports and analyzing the infrastructure, we uncovered how this operation works – and why people keep falling for it despite the obvious red flags.
Following the Digital Trail: How We Found the Scammers
Our investigation started with a simple Instagram DM that one victim shared: “Me llegó por Instagram un mensaje que me hablaba que me dejaba un dinero porque él iba a morir” (I received an Instagram message telling me they were leaving me money because they were going to die). The message came with login credentials to a site called coinvbs.com.
A Ukrainian user told us what happened next: “I was sitting on Instagram when this message came – ‘I have cancer, I don’t have long left, I loved you, so here’s a gift.’ They gave me a login and password. Against my better judgment, I logged in. The balance showed 4 million USDT. To withdraw? They wanted my crypto wallet address and private key. That’s when I knew it was a scam and backed out.”
But here’s where it gets interesting. This wasn’t just one fake site – it’s an entire network. The same scam, the same fake balances, the same cancer story, but spread across dozens of domains that all look like legitimate crypto exchanges. Think of it as a digital hydra – cut off one head, and two more appear.
The attackers provide login credentials to their fake platforms, where victims see tantalizing balances – often exceeding 7 million USDT. One victim reported accessing miryy[.]com: “I entered the username and password and they were correct. Logging into the account, it’s real that it has an asset of 7,000,000 USDT which I cannot withdraw because it asks for a key that only the account creator has.”
The Domain Game: 60+ Fake Sites and Counting
One frustrated victim decided to do their own detective work and shared what they found: “It’s a whole scam network – mirjz.com, mirwf.com, mirvf.com, and many others all claiming to be USDT storage centers. They constantly demand deposits with different excuses. Try to withdraw? More deposits needed. Try to contact someone? You only get a fake customer service rep who’s in on the scam.”
Through victim reports on Gridinsoft’s Website Reputation Checker, we compiled a list of confirmed scam domains. Ready for this? There are over 60 of them:
Confirmed scam domains: mirpr[.]com, mirrr[.]vip, miroo[.]vip, mircw[.]com, mirmt[.]com, mirgg[.]vip, mirdd[.]vip, mirgw[.]com, mirdx[.]com, miryy[.]com, mirzq[.]com, mirddw[.]vip, miraa[.]vip, mirss[.]vip, mirpw[.]com, mirqw[.]com, mirzv[.]com, mirzz[.]vip, mirnn[.]vip, mirbb[.]vip, mirnv[.]com, mirsn[.]com, miruu[.]vip, mirmoo[.]vip, mirnj[.]com, mirkp[.]com, mirjz[.]com, mirff[.]vip, mirmr[.]com, mirvx[.]com, mircc[.]vip, mirwr[.]com, mirwf[.]com, mirvf[.]com, coincku[.]com, coinksx[.]com, cointof[.]com, coinehg[.]com, coinyfo[.]com, coinygg[.]com, cointez[.]com, coinseb[.]com, coinwod[.]com, coinvbs[.]com, coinovt[.]com, coinkpr[.]com, dlcex[.]com, localizer[.]ifonetool[.]com, haa[.]cc, ggk[.]cc, ddu[.]cc, beb[.]cc, xok[.]cc, mzm[.]cc, mwx[.]cc, okz[.]cc, kuk[.]cc, ukk[.]cc, msj[.]cc, mwk[.]cc, oyy[.]cc, dsd[.]cc, mfff[.]net.
One smart user got suspicious: “I just wanted to check if this mirmr page was real. They gave me an account with way too much money… I wanted to investigate before doing anything.” That caution? It saved them from becoming another victim.
Notice the pattern? All these domains follow a formula: take “mir” and add random letters, or use “coin” with gibberish, or just grab a two-letter .cc domain. It’s like they’re using a domain name generator set to “scam mode.” When one gets reported and blocked, five new ones pop up. It’s whack-a-mole, but with fake crypto exchanges.
New Short-Domain Copies: Hbq.cc, Gkr.cc, Iyz.cc and More
The same fake-exchange family is now appearing under shorter domains that are easier to send in Instagram, TikTok, or Telegram messages. Recent Gridinsoft URL Scanner reports flag Hbq.cc, Gkr.cc, Iyz.cc, Gwr.cc, Zmz.cc, Me75.com, Ucq.cc, and Kvf.cc as crypto-scam pages. The domain name changes, but the user path stays familiar: a stranger offers access to a large USDT balance, the site shows fake funds, and withdrawal suddenly requires a deposit, verification payment, tax, upgrade fee, wallet key, or seed phrase.
| Current domain pattern | Safe decision |
|---|---|
| Hbq.cc, Gkr.cc, Iyz.cc, Gwr.cc | Do not sign in, reuse passwords, or pay a verification fee to unlock a displayed USDT balance. |
| Zmz.cc, Me75.com, Ucq.cc, Kvf.cc | Treat wallet-key, seed-phrase, and private-key requests as account-theft attempts, not withdrawal checks. |
| Any new short domain sent with a dying-relative, inheritance, giveaway, or recovery story | Open the exchange by typing its official address yourself. If you cannot verify the company outside the message, assume the balance is fake. |
The math here is simple: with 60+ domains running the same scam, even a tiny success rate means big money. Each victim who deposits that “verification fee” of $500-5000 adds up. New domains cost pennies, but the returns? We’re talking serious criminal profit.
Why Do People Fall for This? The Psychology is Fascinating
Let’s be honest – getting a random message about inheriting millions should trigger every scam alarm in your brain. But here’s the thing: these scammers are playing a different game. They’re not just after your money; they’re hacking your emotions first. The cancer story? That’s designed to short-circuit your skepticism with sympathy. It’s social engineering 101, but executed brilliantly.
Then comes the masterstroke – they let you log in and see the money. One victim described it perfectly: “When I logged in, it was real – the account had 7,000,000 USDT.” That visual confirmation is powerful. Your brain sees those numbers and starts believing, even when logic says it’s impossible.
Some people get curious and decide to play detective. One user admitted: “I created an account, I’m testing little by little the deposits and withdrawals to confirm if they’re scammers.” That’s exactly what the criminals want – curiosity leading to “small” test deposits that never come back.
It’s the same psychology behind those fake Elon Musk crypto giveaways – show people money they think is theirs, and watch rational thinking evaporate. By the time they ask for that “tiny” $500 verification fee, victims have already mentally spent their millions. Compared to 7 million USDT, what’s $500, right? That’s the trap.
The Real Cost: Following the Money Trail
Here’s where it gets ugly. The “verification fee” starts at $500-5000, but that’s just the appetizer. Once you pay, suddenly there are “taxes,” “transfer fees,” “account upgrades” – the menu of fake charges keeps growing until your wallet is empty or you wise up.
Another person almost fell for it but caught on just in time: “Got a suspicious DM from an account with a woman’s picture. They said they had cancer and wanted to leave me over 1 million USDT. I don’t even know this person. Obviously a scam.”
But here’s the nightmare scenario: some victims hand over their wallet private keys thinking it’s needed for the “transfer.” Game over. That’s not just losing a deposit – that’s giving criminals the keys to your entire crypto holdings. If you want to understand why that’s so dangerous, check out this piece on how crypto wallets actually get hacked.
The worst part? Most victims never report it. Too embarrassed, too ashamed. The scammers count on this silence to keep operating.
The Bigger Picture: It’s Not Just One Scam
Here’s what our investigation uncovered: this isn’t an isolated operation. The same crew running these inheritance scams? They’re probably behind those fake token presales you’ve been seeing. Same playbook, different story.
The technical setup matches what we’ve seen in fake Binance security alerts and other exchange scams. But adding the dying person angle? That’s new. And unfortunately, it works better than you’d think.
How to Spot This Scam (and Not Become Victim #10,001)
Let’s keep it simple. Here are the dead giveaways:
- Random crypto inheritance messages = Scam. Every. Single. Time.
- “I’m dying and want to give you money” = They’re not dying, they want YOUR money
- Pay to withdraw “your” funds = If it’s yours, why are you paying?
- They want your private keys = Never. Not even if they claim to be Satoshi Nakamoto himself
- Domains like mir-whatever[.]com, Hbq.cc, or Gkr.cc = Check the scanner report first. If it is tied to this fake-exchange pattern, close the page.
Before trusting any crypto platform, do your homework. Use tools like Gridinsoft’s Website Reputation Checker to verify if a site is legit. And please, enable 2FA on your Instagram – at least make the scammers work harder.
Got Targeted? Here’s Your Action Plan
If one of these messages lands in your DMs:
- Don’t reply – Even saying “no thanks” puts you on their “active user” list
- Do not test the login – A fake dashboard can still collect your IP, password habits, wallet address, or browser data
- Screenshot everything – Evidence first, then report and block
- Report to Instagram – They’re slow, but every report counts
- Warn your followers – Post about it. These scammers hate exposure
- Lock down your DMs – Check who can message you in settings
Already sent them money? Act fast:
- Contact your crypto exchange immediately if you sent funds or exposed an exchange account
- File a police report (they need the data even if they can’t help)
- Report to IC3.gov if you’re in the US
- Change reused passwords from a clean device and enable 2FA on Instagram, email, and crypto accounts
- Revoke suspicious sessions, wallet approvals, API keys, and trade links where your wallet or exchange supports it
- Check your devices for malware if you downloaded anything, installed an extension, or let a support agent connect remotely
What’s Next for This Scam?
Instagram’s playing catch-up. By the time one account sending these messages is banned, more are already active. The mir*, coin*, and short .cc domain patterns keep rotating, so the safest move is to judge the story and withdrawal demand, not only the current domain name.
The scammers are already evolving. We’re seeing variations with “lottery winnings,” “unclaimed family estates,” and short fake-exchange domains that rotate faster than older mir* and coin* names. AI-generated video or voice messages may make the dying-person story feel more personal, but the playbook stays the same: free money first, irreversible payment or wallet access second.
Bottom line: As long as people keep falling for “free money from strangers,” these scams will exist. The only real defense? Education and skepticism. If someone you don’t know wants to give you millions, they don’t. It’s that simple.
