16.05.2025
7 min
735
Anonymous OSINT investigation. No VPNs, no active attacks, no NDAs — just public data, RIPE, crt.sh, Wayback Machine, company registries, court records, and a bit of healthy cynicism.
If you received an SMS from “eKredit.ua” with an “e-Receipt №K-937” for 35,032 UAH and a link to ekredit.org/k-e-start, congratulations — your data is likely part of the old Moneyveo customer database that the CPA network LetMeAds legally collected back in 2017-2019, when Moneyveo was one of its top partners paying 270 UAH per lead (hello from the Wayback Machine snapshot of letmeads.com dated 2018-02-03).
Six years after Moneyveo disappeared from their partner catalogue, the database apparently stayed behind. CPA contracts, unsurprisingly, did not require its destruction. And since the operator in Konotop was running their own Asterisk PBX setup, SMS gateway, and a 128-SIM GOIP-32 farm (according to a May 2025 Freelancehunt project specifically mentioning “Vodafone↔Vodafone anti-fraud bypass”), the evening of May 20, 2026 clearly wasn’t a quiet one.
The best part? The same operator has already spent the last three years appearing in an Office of the Prosecutor General criminal investigation tied to CreditPlus/Aventus, listed as entity #10 among 52 connected subjects. Nobody linked it to phishing before, mostly because the wonderfully innocent-looking legal name in the registry was simply “Partnerski Programy LLC”.
[Alpha Sender: eKredit.ua] 🧾 е-Квитанція №К-937 Операція: переказ Сума: 35 032 грн Метод: автоматичний Дзвінки: 0 Підтвердити: https://ekredit.org/k-e-start
11:35 AM, iPhone. The victim is a former Moneyveo customer. At first glance, it looks like yet another generic “urgent confirmation required” SMS scam. But then things start getting a lot more interesting.
ekredit.org WHOIS history from WhoisXMLAPI shows 39 separate records spanning the last 14 years.
That is, the domain lived for 14 years, gained a reputation in anti-fraud filters, was dropped, and the new “owners” picked it up 4 days before the start of the SMS campaign. This is not a coincidence, this is aged-domain abuse – a classic technique, because a freshly registered .org is caught by Google Safe Browsing in a day, and a 14-year-old one is missed.
Registrar – Hosting Ukraine LLC. NS – inhostedns.{com,net,org}. Certificate – Let’s Encrypt E8, issued 2026-04-12 (monthly rotation). Everything according to the textbook.
ekredit.org lives on IP 85.223.215.163. A standard check via reverse-IP and urlscan returns a list of what is still running on the same nginx:
bablos.com.ua– лідген МФО Miloan (футер прямо вказує: 04107, Київ, Багговутівська, 17-21, ТОВ «МІЛОАН» ЄДРПОУ 40484607)
bigcredit.com.ua,creditpuls.com.ua,minicredit.in.ua,creditking.com.ua,moneybox.in.ua– кластер CPA-приманок «кредит 0,01%»
info.ekredit.org– субдомен, який віддаєog:url=https://bablos.com.ua/(тобто це той самий лідген, тільки під брендом фішинг-домену)
Let’s look at the neighboring IPs in /29:
Effectively: 5 active servers in /24, all – LetMeAds. ASN correction – this is not “GTUA shared”, as initially showed whois-shell, but AS15895 KSNET Datagroup, Brovary, dedicated hosting, rented under operational tier. This is their dedicated prod.
We sign Certificate Transparency on letmeads.com and get 33 subdomains, 512 certificates. We highlight the most delicious:
vf-sms.letmeads.com ast.letmeads.com ast-cc.letmeads.com ast-pg.letmeads.com numbers.letmeads.com vi-bots1-4.letmeads.com tg-parsee.letmeads.com call.letmeads.com pdl.letmeads.com ad.letmeads.com
Using GitHub Code Search, we find the repository wearesho-team/bobra-cpa (a Kharkiv-based dev studio building code for MFO services). The file src/Letmeads/SendService.php contains a literal implementation of the postback request to LetMeAds:
GET https://ad.letmeads.com/api/v1.1/{client_secret}/get/postback.json
?code=Y
&ref_id={mfo_id}
&click_id={letmeads_ref}
artjoker/cpa there is an example of a client_secret in the format y7r/dcfgs1tg:awvv47ghn1jv1f$am.[2018-02-03] letmeads.com → топ-партнер: MoneyVeo ставка: 270 UAH / lead [2019-07-XX] Moneyveo зникає з каталогу [2025-06-02] ekredit.org реєструється через Hosting Ukraine [2026-05-20] SMS з «е-Квитанцією» починають отримувати колишні клієнти Moneyveo
This is not “maybe they were a partner”, not “probably”. This is a public archival snapshot where Moneyveo is literally displayed on the homepage. That means LetMeAds was legally receiving phone numbers + full names + tax IDs of Moneyveo clients through a standard CPA channel for at least one and a half to two years, until the partnership ended.
What happens to the database after a partner leaves in the CPA model? Nothing. No standard CPA contract in Ukraine requires its destruction. The database remains inside the operator’s DB forever. In our case — 6 years. Then someone pulled it back off the shelf.
This is where the adult-level OSINT part begins.
The LinkedIn profile vladimir-samoilov-b99085162 identifies itself as the CEO of LetMeAds. The email listed on actualtraffic.ru is [email protected]. Three breach matches exist for this email (1win.ru RU casino, cit0day.in, text.ru with a Citadel module). This is phase 5 — 95% attribution.
Phase 7 adds even more flavour. Through a TelegramDB leak (phone-OSINT — a standard, although morally rotten, technique), the number +380963000045 (corporate phone of INFORMATION RESOURCE LLC, EDRPOU 43042782) returns:
ПІБ: Самойлов Володимир Володимирович DOB: 10.02.1988 Регіон: Київ (вул. Володимира Світлицького 24А, корп. 22, кв. 5) Уродженець: м. Конотоп (Сумська область) Emails: 5 адрес, включно з [email protected] Telegram: 3 хендли, включно з @v_samojlov
UBO 100% on all entities – Samoilov V.V. Alyona – wife, nominee director, 0% equity. On one of the LLCs (LETMEADS), since 2022 the director is Yevhenii Ostrivskyi – and this is not some random fresh freelancer.
The standard hypothesis when you see the replacement of the real beneficiary with a “director” is nominee ownership, a front person, maybe even ID-theft. We verify it.
Sarancha Clan, digital agency, Kyiv Popudrenka 1a, services “Affiliate Marketing” – co-founder Ostrivskyi, May 2017 (1 month before the incorporation of LETMEADS, 09.06.2017).
linkedin.com/company/affdogs– performs a 301 redirect tolinkedin.com/company/letmeads. AFFDOGS and LetMeAds are the same page with different vanity URLs.
KNU Software Engineering 2015-2019 + Agrostudio sys-admin 2015-2018 – real education and career, not ID-theft.
Sole proprietor in Konotop – the same region as Samoilov.
And most importantly – in
letmeads-for-partners.pdf, which is publicly accessible on their website, the contacts line contains the trio:
@v_samojlov
@YevheniOs
@surrealistic
@YevheniOs= Yevheni Os(trovskyy). This is not a support contact in the footer. This is a team-of-three core management displayed equally alongside the CEO. Ostrivskyi is a conscious participant with an active role, 80-85% confidence, not an unknowing nominee. Currently lives in Marblehead, Massachusetts (via LinkedIn). Greetings from the Hague Convention.
@surrealistic– likely Artem Kurinnyi, AI Creative Specialist, according to LinkedIn actively running ads for Gamzix / Bodroclub / Creogang. 70% confidence, but the trio appears stable.
We go to the Unified State Register of Court Decisions and search for 44144007 (LLC “PARTNER PROGRAMS” – the operational legal face of the holding with capital of 3 million UAH).
We find criminal proceeding №757/31702/22-к:
Handled by: Office of the Prosecutor General of Ukraine – Department for Supervision of Organized and Transnational Crime
Main target: LLC “AVENTUS UKRAINE” EDRPOU
41078230, brand CreditPlus, #1 MFO on the market with 11% share, UBO Andreus Trofimov (Vilnius)
Article: “crimes against property” (Section VI of the Criminal Code of Ukraine), most likely Article 190 + Article 28 (organized criminal group)
11.11.2022 Pechersk District Court issued an order for temporary access to documents of 52 entities for the period starting from 01.01.2020
20.02.2024 Kyiv Court of Appeal (ruling
117187985) refused Aventus the opening of appellate proceedings
Status: pre-trial investigation, ongoing as of May 2026
In the list of 52 entities (13 of them LLCs):
That means Samoilov has already been on the radar of the Office of the Prosecutor General since November 2022 as one of 13 corporate entities inside the CreditPlus CPA ecosystem. Alongside Admitad, which is basically the largest CPA network across the entire post-Soviet space.
The irony: when in December 2024 the Sumy District Administrative Court fined LETMEADS LLC 9,525 UAH for tax debt (case 480/9685/24) – that was pocket change compared to the fact that the OPG had already been running an organized crime group case involving the same person for three years. In our country, two proceedings against the same structure can run in parallel without knowing about each other.
If you are a victim:
Do not click the link. Block the SMS.
Report to Cyberpolice – standard procedure via cyberpolice.gov.ua.
PRIMARY TRACK: report directly to the Office of the Prosecutor General, Department of Organized Crime, referencing case 757/31702/22-к and requesting your case to be attached as an additional episode. This is not some separate new crime – this is a continuation of an already open case.
File a complaint with the Ukrainian Parliament Commissioner for Human Rights regarding the personal data leak through a CPA channel.
Check your credit history through UBKI – see whether there are any additional loans hanging on your identity.
If you are a journalist or a member of parliament – there is exactly one question in this story nobody wants to answer:
Why does a CPA contract in Ukraine still not obligate the operator to destroy the lead database after a partner leaves? This is not “recommended” and not “would be nice”. This is the single regulatory bolt holding this entire scenario together. If the Moneyveo database had been deleted in 2019, there would have been no fake 35,032 hryvnia receipt in 2026.
If you are Hosting Ukraine LLC – you have an exposed MySQL instance with production data sitting on two public IPs. This is not our problem – it is yours. But 30 minutes after CERT-UA receives this text, it becomes the NBU’s problem too.
If you are Moneyveo – pull the CPA logs from 2017-2019 and calculate exactly how many phone number + full name + tax ID combinations you transferred to LetMeAds. You are not going to like the number.
This investigation took one human-month.
Without a single active scan of target sites, without VPNs, without a single request through Anthropic egress (because most Ukrainian services block it), without scraping registries.
Only:
crt.shfor CT logs
web.archive.orgfor time-machine snapshots
whoisxmlapifor WHOIS history (39 records, $0 on trial)
censys.ioFree Plan for banner pivoting
rdap.orgfor throwaway domains
EDRPOU + Court Decisions Registry – public
GitHub Code Search – public
Telegram, LinkedIn, Freelancehunt – public
A bit of patience and knowing where to click
Meaning everything we did can be replicated by any Cyberpolice investigator within a week with nothing more than browser access. And the fact that this phishing operation is still active as of the publication date is not about the complexity of the investigation. It is about something else.
Stay safe. Do not click SMS links. And please stop taking microloans – not because it is shameful, but because your number will then be sold between 17 CPA networks for the next five years, and on the sixth year you will receive e-Receipt No. K-937.
This research is based entirely on public sources. All legal conclusions are preliminary and require verification through official procedural channels. No personal data of the victim has been disclosed. All IOC indicators, domain signatures, EDRPOU numbers, and references to court decisions are accessible through open registries. If you are Volodymyr Volodymyrovych Samoilov and consider this publication defamatory, you know where the court is. But first ask your lawyer about case №757/31702/22-к.
