Chat on WhatsApp
HomeAbout SOC ProjectsPortfolio ServicesAcademy CertificationsBlog Contact →
← Back to Projects TLP:WHITE — PUBLIC SEVERITY: HIGH
Threat Intelligence Report · CNTI-2026-001 v2.0

MutaCryptor Scam Network

Crypto-Enabled Internship Fraud Campaign · Correlation: MutaEngine | VRV Security | Zorvyn FinTech

Author
Nathaniel T.O (Cyber Nate)
Published
April 18, 2026
Threat Actor
INTERN-FRAUD-01
Victims
India, Nigeria, Global
Classification
TLP:WHITE
📄 Download Full Report (20 pages) ← All Projects

Executive Summary

This report documents a coordinated internship fraud network actively targeting technology and cybersecurity job seekers globally since at least mid-2024. The operation creates elaborate fake companies with professional-grade websites, employee portals, legally styled offer letters, and automated onboarding infrastructure — then solicits cryptocurrency payments for a software product called MutaCryptor by MutaEngine.

Two confirmed fake company shells: VRV Security and Zorvyn FinTech. The author was personally targeted by Zorvyn FinTech in April 2026, enabling firsthand documentation of the complete 8-phase attack chain. Infrastructure collapsed (NXDOMAIN) during active investigation. Critical finding: Bitcoin-only payment with 15-minute rotating wallet addresses — deliberately untraceable criminal financial architecture.

8-Phase Attack Chain

01

Target Acquisition

Mass screening invitations via Internshala, LinkedIn, and job platforms. Realistic timed technical assessments to build psychological investment.

02

Screening & Legitimacy Layer

90-minute multiple-choice assessment on real cybersecurity topics via branded portal (screening.zorvyn.live).

03

Offer & Trust Building

Formal offer letter with NDA, INR 45,000/month stipend (above market), PPO up to INR 16 LPA. CEO signature. "Zorvyn never charges fees" statement — designed to lower guard.

04

Onboarding Infrastructure

Employee portal access, welcome kit order (Dell Pro 14 laptop, merch). PII harvested: address, passport photo, ID card, banking details under cover of payroll setup.

05

Manager Introduction & Training Framing

Fake reporting manager Mudiwa Mkonto assigns 15-day training plan on real cybersecurity topics — adds credibility, primes the purchase.

06

Monetization Trigger ⚠️

Training task: purchase MutaCryptor from mutaengine.cloud. 48-hour deadline. "Do not use AI tools" instruction — prevents research. "Do not discuss with anyone" — isolation tactic.

07

Crypto Payment Extraction 🔴

Bitcoin-only checkout at pay.mutaengine.cloud. Dynamic rotating wallet addresses. 15-minute invoice expiry. Irreversible. No KYC. Funds routed through mixing services.

08

Data Retention & Infrastructure Teardown

PII collected regardless of payment. Infrastructure torn down (NXDOMAIN) after exposure. Cycle restarts under new shell company identity.

Key Indicators of Compromise (18+ IOCs)

Primary Domain
zorvyn[.]io
Employee Portal
workplace.zorvyn[.]live (NXDOMAIN)
Payment Gateway
pay.mutaengine[.]cloud
Prior Shell
vrvsecurity[.]in (trust 2/100)
BTC Wallet 1
bc1qqe3efq079rymkjer2jnvcllqr7lt5fkgeks50k
BTC Wallet 2
bc1q2h0q5z4lkd9zvaq3twp4cv3gpa0xj5elqem7s7
BTC Wallet 3
bc1qvgka8h7z2wzu7jzqcspvlp9fcte6y6spvul84a
Fake Manager
Mudiwa Mkonto (AI-generated persona)

MITRE ATT&CK Mapping

T1566 — Phishing (Initial Access) T1583 — Establish Infrastructure T1584 — Compromise Infrastructure (Identity Theft) T1587 — Develop Capabilities (AI Personas) T1567 — Exfiltration over Web Service

📄 Read the Full 20-Page TI Report

Full attack chain documentation, threat actor profile, cryptocurrency obfuscation mechanism, correlation analysis, and law enforcement recommendations.

Download TI Report — TLP:WHITE