Fraudsters Are Running a $1M Crypto Scam Using Delta and Other Big-Name Brands

A new wave of “task scams” is hijacking the logos of U.S. household names—Delta Airlines, AMC Theatres, Universal Studios, and Epic Records among them—in a bid to lure victims into depositing cryptocurrency under the guise of becoming paid brand “agents.”

Researchers at Netcraft uncovered DeltaAirlineiVIP[.]com, a fraudulent site that anchors a larger cluster of template-driven scams already tied to more than $1 million in blockchain transactions. Victims are promised commissions for completing simple digital “tasks,” like booking flights, but access to these rewards requires first paying to become a VIP member.

A Template for Multi-Brand Deception

The operation resembles job-task scams that have been circulating globally, including those reported by Australia’s ABC News. In the Delta variant, participants are pitched as flight-booking agents, earning fractions of a dollar in stablecoins for each transaction. But the real money flows the other way: would-be workers must stake crypto—anywhere from $100 to $50,000—into wallets controlled by the fraudsters.

Netcraft traced the scam to a registrant who claimed to be a “boxer” based in Dallas, a fake persona that linked back to hundreds of other domains spoofing DJI, Accor Hotels, and 20th Century Fox. Using blockchain transparency, the firm identified nearly $950,000 in USDC, $300,000 in ETH, $114,000 in Bitcoin, and additional sums in Tether flowing into associated wallets.

Alibaba’s Registrar Arm in the Spotlight

The infrastructure raises new questions about Dominet, the domain registrar run by Alibaba Cloud. The DeltaAirlineiVIP domain was registered there in June 2025, and researchers note a sharp uptick in threat actors leveraging Dominet since May, particularly groups behind smishing campaigns impersonating governments and toll agencies.

This isn’t the first time Alibaba’s registrar business has drawn attention. In March 2024, an earlier incarnation of the unit received an ICANN breach notice. Today, Alibaba Cloud remains one of the largest internet infrastructure providers globally, second only to AWS.

Technical Bread Crumbs

Behind the scam’s glossy façade, misconfigurations and API artifacts revealed the machinery. The Delta domain mistakenly pointed its records to a Hong Kong hosting provider previously linked to crypto fraud, fake shops, and phishing campaigns. A JSON configuration file exposed how the scam’s rules were automated—complete with brand logos, commission rates, and wallet addresses.

Netcraft also found counterfeit certificates of incorporation embedded in the scam portal, designed to reassure skeptics. The platform even issued unique invite codes, funnelling recruitment through encrypted peer-to-peer messages to make the scheme feel exclusive.

Why Detection Is Tricky

Unlike classic phishing, which ICANN formally defines as DNS abuse, these scams blur the lines by mixing fake branding, job-task mechanics, and crypto deposits. That ambiguity makes enforcement difficult for both registrars and regulators, since fraudsters aren’t always directly stealing credentials but instead coercing “investments.”

A Expanding Cluster

The research points to at least 15 other configuration files spoofing companies like Pixar, Disney, and Universal Studios. Many reference fresh crypto wallets, some already flush with six-figure sums. Netcraft says the “Boxer” scam cluster remains active and under monitoring.

“The ‘Boxer’ task scam cluster illustrates how opportunistic actors are weaponizing API-driven brand-impersonation templates to scale financially motivated fraud across multiple verticals,” Netcraft’s team explained.

For now, the fraudsters are still at large, minting new domains and re-skinning their templates with recognizable logos. For victims, the pitch is irresistible: earn easy commissions by helping a major brand. The reality is that the only ones cashing in are the scammers.