chainabuse.com

[IS] elsbbook.sgesge.com — Chinese shuadan task scam running paid IG ads impersonating Booking.com Got an unsolicited job offer via Instagram today — turned out to be a paid ad impersonating Booking.com. The link looked off, so I pulled the site apart before touching anything. Posting the recon so the IOCs are searchable and other people can spot the pattern in their own DMs or feeds. \*\*Delivery vectors observed:\*\* \- Paid Instagram ads impersonating [Booking.com](http://Booking.com) (Sponsored label, branded imagery) \- Cold Instagram DMs from throwaway accounts pitching "remote reviewer" style jobs \*\*What the site actually is:\*\* \- Domain registered \*\*2026-02-20\*\* through Dynadot (\~2 months old). Verified via RDAP. \- Fronted by Cloudflare (nameservers \`aarav.ns.cloudflare.com\`, \`elsa.ns.cloudflare.com\`). Origin IP hidden. \- Frontend: Vue.js SPA using uView UI (a Chinese Vue component library). \- Backend: ThinkPHP. Confirmed by \`PHPSESSID\` and \`think\_lang=zh-cn\` cookies on the API subdomain. \- Page HTML is \`<html lang="zh-CN">\`. The English you see on the surface is a translated veneer; the bundle underneath is Chinese. \*\*Strings pulled directly from the JavaScript bundle:\*\* \`\`\` 需要重置一组任务才能提取 must reset a set of tasks to withdraw 您還有未完成的訂單 you still have unfinished orders 每天只能取款一次 can only withdraw once per day 邀請碼 invitation code 充值 recharge / deposit 提現密碼 withdrawal password 數據優化服務 "data optimization service" \`\`\` Financial-rail fields in the bundle: \`USDT\_tx\` (Tron USDT withdrawal address), \`bank\_name\`, bank card number. It takes both crypto and fiat. \*\*Why this is diagnostic of shuadan (刷单) / task scam:\*\* The combination of (a) an "unfinished orders" blocker on withdrawal, (b) a forced "recharge" to continue, (c) a separate withdrawal password, and (d) a "task reset" fee is the canonical