Phantom Funding: Pinning a Loan-Scam Operator With Cohort Nameservers

A financial lead-gen operator's same-day NameCheap cohort and Cloudflare nameserver pair survived three ESP migrations and a year of sender-domain churn. Through the first four months of 2026, our analysts tracked a loan-application phishing campaign — internally tagged Phantom Funding — operating in parallel through SparkPost and Amazon SES, with hundreds of disposable sender domains and tens of thousands of observed messages. The most durable correlator we found was not a sender address, a template phrase, or a CTA URL. It was a Cloudflare authoritative-nameserver pair shared by twelve landing-page hubs registered on a single day in August 2025 at NameCheap. That pair stitches the SES variant, the SparkPost variant, and at least one parallel auto-insurance vertical into a single attribution cluster.

Key Findings

• A single financial lead-gen operator runs the campaign in parallel across SparkPost and Amazon SES, and was previously on SendGrid before migrating up the ESP stack.
• Twelve landing-page hubs were registered at NameCheap on 2025-08-19 and assigned the Cloudflare authoritative-nameserver pair armando.ns.cloudflare[.]com and teagan.ns.cloudflare[.]com. Four additional hubs share the same pair from earlier registrations.
• The architecture is hub-and-spoke: dozens of disposable sender domains route clicks back to a small set of hubs through a tr[.]<hub>[.]com/l/<token> redirector subdomain, consolidating victim flow into a handful of consolidated landing pages.
• The SparkPost variant is keyed by customer ID 340176 and three subaccounts (42, 46, 48); the SES variant uses generic amazonses.com return paths and burner-persona mail-merge sender lists.
• A separate, unrelated ecosystem of independent publishers (Nesmetaju LLC and dozens of sibling sites) uses the same commercial PLS website-kit boilerplate. Disclaimer-text dorking is therefore not a reliable attribution path; the NS-pair pivot is.
• The operator appears to extend the same tr.<brand>.com/l/ tracker pattern to a parallel auto-insurance lead-gen vertical, suggesting cross-vertical reuse of the same backend stack.

Background

Consumer lending lead-generation scams sit at the intersection of legitimate fintech infrastructure abuse and a downstream monetization model that makes the math work. Harvested loan-application data — name, address, SSN, income, employment, bank details — is auctioned through real-time ping-tree systems: a lead aggregator pings successive downstream buyers (sub-prime lenders, tribal-lender networks, debt-relief operators, identity-theft outfits) until one accepts. A single loan-shaped lead can clear $50–$200 in this auction, which is why a campaign that costs an operator only domain-registration fees and ESP onboarding can sustain hundreds of disposable sender domains and remain economically viable. Jornaya's LeadiD system is supposed to provide consent attestation for TCPA compliance, but forged or replayed LeadiD tokens are a recurring fraud vector, letting operators claim consent on data that was never knowingly handed over. Public enforcement against this market exists — FTC actions against ITMedia Solutions and MediaAlpha, CFPB action against T3Leads — but the cadence is slow against an infrastructure layer that rotates in days.

The operator described here exploits two structural features of the modern email-delivery ecosystem. The first is ESP reputation inheritance. SparkPost, Amazon SES, and SendGrid are legitimate transactional email platforms whose IP ranges and DKIM signatures are trusted by inbox providers; mail originating from spmailtechno.com or amazonses.com return paths inherits that trust, slipping past sender-reputation filters that would catch a self-hosted MTA on a fresh VPS. The second is registrar and CDN economics. NameCheap permits bulk domain registration with minimal KYC, and Cloudflare offers free DNS with a TLS-terminated edge in front of the landing pages. The combination is cheap, fast, and looks legitimate at every signal layer except the behavioral one.

Discovery and Infrastructure

The Phantom Funding cluster first surfaced as a financial lead-gen pattern in early January 2026, when our analysts noticed dozens of disposable firstname.lastinitial@<finance-keyword-mashup>.com sender addresses sharing a SparkPost return-path signature. The bounces VERP encodes both the SparkPost customer ID and the subaccount (bounces-340176-42@spmailtechno[.]com); this string alone is operator-attributable, because it is sticky across every sender domain the operator deploys on that account. The customer-ID pivot surfaced over a hundred sender addresses across more than a hundred and seventy .com/.ai domains, all using the same financial keyword-mashup pattern (fund, budget, capital, lend, loan, debt, tax, finance, wealth, vault, asset, credit, alert, smart, nexus, concept).

In mid-April 2026, a parallel SES-delivered cluster surfaced through a different signature: a centralized tracking subdomain tr[.]krediblefunds[.]com referenced by sender domains that did not themselves resolve to a landing page. Pulling all senders whose CTAs resolved to tr.krediblefunds[.]com yielded a tight cluster of fifteen sender domains and several hundred unique senders, most of which were burner personas using the operator's signature firstname.lastname@<brand>.com template. From there, a WHOIS sweep of krediblefunds[.]com returned the registrar NameCheap, registration date 2025-08-19, and authoritative nameservers armando.ns.cloudflare[.]com / teagan.ns.cloudflare[.]com. Querying Cloudflare's authoritative-NS pair for other delegated domains in our telemetry returned eleven additional hubs sharing the same pair, eight of them registered on the exact same day at the same registrar. That cohort signature became the campaign's spine.

| Hub Domain | Registered | Nameserver Pair | Status | |---|---|---|---| | krediblefunds[.]com | 2025-08-19 | armando.ns / teagan.ns (cloudflare[.]com) | Active | | fundriff[.]com | 2025-08-19 | armando.ns / teagan.ns | Active | | fundyze[.]com | 2025-08-19 | armando.ns / teagan.ns | Active | | fundsparkz[.]com | 2025-08-19 | armando.ns / teagan.ns | Cooling | | fundsygo[.]com | 2025-08-19 | armando.ns / teagan.ns | Active | | cashluma[.]com | 2025-08-19 | armando.ns / teagan.ns | Active | | lendlyst[.]com | 2025-08-19 | armando.ns / teagan.ns | Active | | lendlyfe[.]com | 2025-08-19 | armando.ns / teagan.ns | Active | | mityfunds[.]com | 2025-10-22 (re-reg) | armando.ns / teagan.ns | Active | | gimmelend[.]com | 2023-08-04 | armando.ns / teagan.ns | Active | | lendiftyhub[.]com | (cohort) | armando.ns / teagan.ns | Active | | lendiftypro[.]com | (cohort) | armando.ns / teagan.ns | Active |

Cloudflare assigns its authoritative nameservers deterministically per account, drawn from a roster of single-name labels (armando, teagan, kara, dilbert, and so on). The pair an account receives is sticky: rotating it requires moving every domain to a different account, re-validating ownership, and accepting a propagation gap. For a threat-research perspective this is excellent news — once an operator's NS pair is identified, every domain delegated to that pair is presumptively the same actor, and historical DNS data sources (Farsight, SecurityTrails, public DNS scans) make the lookup trivial.

How It Works

The pretext is "you have a pending funding application." The lure does not impersonate a specific named lender; it leans on the phrase funding and the assumption that any given recipient has, at some point, looked at a personal-loan or debt-consolidation site. The first sentence usually contains the recipient's first name, scraped from the local-part of their email address or pulled from a purchased lead list. The body fabricates a transaction number, a date, and an "amount requested" field to suggest a real application that the recipient has merely forgotten about. The CTA — "Review Your Updated Options," "Complete My Account," "View Paid Volunteer Listings" for one of the variants — routes through an ESP click-tracker subdomain that forwards into a multi-step web form requesting the high-value PII the operator monetizes downstream.

A representative SparkPost-variant header set, defanged:

From: "Indafunds" <cooper.a@indafunds[.]com>
Subject: More funding available, resubmit your application [Recipient First Name]
Return-Path: <bounces-340176-42@spmailtechno[.]com>
List-Unsubscribe: <http[:]//unsub.spmta[.]com/...>

A representative SES-variant header set:

From: "Jonatan Olson" <jonatan.olson@cashluma[.]com>
Subject: Application successfully accepted
Return-Path: <0100019dXXXXXXXX-XXXXXXXX-...-000000@amazonses[.]com>

A representative spoke routing back to a hub through the redirector pattern:

From: "Douglas Lang" <douglas.lang@fundflippr[.]com>
Subject: Next steps to confirm your info
CTA: hxxps://tr.krediblefunds[.]com/cv2/5xrYPX6/U2Fs...

That last sample is the architectural signature in a single line. fundflippr[.]com does not host a landing page; clicking the CTA hits the tr.krediblefunds[.]com/cv2/<token> redirector, which forwards to the consolidated landing page hosted on krediblefunds[.]com. Several spokes route to the same hub, and several hubs are wired in parallel; the spoke layer exists to inflate sender-domain diversity for blocklist evasion while the landing experience remains a single funnel.

Technical Analysis

Same-Day Cohort Registration

Eight of twelve landing-page hubs were registered on 2025-08-19 at NameCheap, an operationally efficient pattern that strongly suggests pre-planned infrastructure rollout. Bulk same-day registrations leave a forensic trail in registrar transaction logs and historical WHOIS that researchers can use to cluster related infrastructure even when sender addresses, landing-page content, and CTA tokens differ. Spamhaus has documented bulk registration as a recurring spam-operator behavior; the pattern is generalizable beyond this case.

Cloudflare NS-Pair Pivot

Cloudflare's authoritative nameserver pair is account-scoped and not domain-scoped. When armando.ns.cloudflare[.]com / teagan.ns.cloudflare[.]com appears as the NS set for a domain, the domain is delegated to the Cloudflare account that was provisioned with that pair. Pivoting on the NS pair across passive-DNS data sources surfaces every domain currently or historically delegated to that account, which is far stickier than the rotated sender addresses or the CTA tokens. For this operator the pair clusters all twelve hubs and links several spoke domains as well.

Hub-and-Spoke Click Architecture

ESP click trackers are a routine industry convention. Operators rewrite outbound CTAs to a tr.<brand>.com/l/<base64-token> subdomain so the ESP can record the click before forwarding to the destination. Phantom Funding weaponizes the convention: the spokes (sending-only sender domains) embed CTAs into the hubs' tracker subdomains, so every spoke click flows through a hub-owned redirector and lands on a hub-hosted credential or PII-collection page. The operational benefit is simple — one funnel to maintain, dozens of sender brands to burn through. The forensic benefit, for defenders, is that any sender domain whose CTAs resolve through a known hub's tr. subdomain is presumptively the same operator.

Dual-ESP Operation

The operator runs the campaign through both SparkPost and Amazon SES in parallel, with specific brand domains pinned to one ESP or the other. Two domains in the SES-variant cohort (gofundspros[.]com and directafunding[.]com) deliver through SparkPost customer ID 340176, closing the loop between the two channels and confirming the same operator owns both. Earlier infrastructure on SendGrid — the bounces+...@sendgrid[.]net return-path footprint with training[.]mba and marketingreveal[.]com as click trackers — establishes that the operator has now run on three different ESPs in succession, escalating up the reputation ladder as accounts get burned.

Burner-Persona Mail-Merge

Three SES-variant brands (happifundz[.]com, flashlendez[.]com, lendaccesspro[.]com) host hundreds of distinct firstname.lastname@<brand>.com sender addresses each, generated through a mail-merge process against a name list. Other brands in the cohort use a single fixed info@<brand>[.]com address. The two patterns coexist on the same SES account, suggesting the operator runs different distribution strategies per brand — high-persona-diversity brands chase deliverability through sender-rotation, fixed-sender brands lean on volume and a stable account reputation.

Commercial Template Provenance

A Google search on two specific disclaimer phrases that appear in Phantom Funding landing pages returns hundreds of generic-name lending sites, including dozens that appear to be operated by Nesmetaju LLC (St. Kitts & Nevis) and other independent publishers. Those sites are not part of this operator's infrastructure; they share a commercial white-label PLS (Personal Lending Service) website kit whose boilerplate text is reused across many unrelated tenants. Disclaimer-text dorking is therefore a high-false-positive attribution technique here. The durable signal remains the NS-pair plus the same-day registration cohort, not the template text.

Detection Observations

Behavioral signals separating this operator from legitimate transactional or marketing mail:

• A return-path of bounces-340176-{42|46|48}@spmailtechno[.]com is an operator-attributable string in itself; SparkPost customer 340176 does not appear to send any benign mail in our telemetry.
• Sender domains following the regex ^[a-z]+\.[a-z]@[a-z]+(fund|budget|capital|pay|lend|loan|debt|tax|finance|wealth|vault|asset|credit|alert|smart|nexus|concept)[a-z]*\.(com|ai)$, paired with a fresh-registration WHOIS or a NameCheap registrar, are very strong predictors of cohort membership when combined with a financial pretext subject line.
• The CTA pattern tr.<hub>[.]com/l/<base64-token> or tr.<hub>[.]com/cv2/<token> is the cleanest cross-cluster pivot. Mapping every observed tr. subdomain back to its parent landing page surfaces the hub-and-spoke perimeter without needing to enumerate spokes.
• The Cloudflare NS pair armando.ns.cloudflare[.]com / teagan.ns.cloudflare[.]com is the longest-lived correlator and survives ESP migration. New domains delegated to that pair should be treated as presumptively cohort-aligned pending content review.
• Same-day cohort registration at NameCheap, with twelve hubs registered on 2025-08-19 and re-registrations clustered at 2025-10-22, is a useful enrichment signal once a candidate is surfaced through the other pivots.

Mitigation and Guidance

For email-security and SOC teams:

• Block on the durable cohort indicators (NS pair, hub domains, tr.<hub>.com/l/ tracker subdomains, SparkPost customer-ID return-path string) rather than enumerating spokes.
• For inbound mail-flow inspection, add a rule that flags any message whose CTA host matches ^tr\.[a-z0-9-]+\.(com|ai|net|org)/(l|cv2)/ paired with an amazonses[.]com or spmailtechno[.]com return path; the combination is a strong indicator absent legitimate-platform context.
• For threat-intel teams, run a passive-DNS pivot on armando.ns.cloudflare[.]com + teagan.ns.cloudflare[.]com weekly. Any new delegation from this pair into the financial-keyword namespace warrants a content review.
• For abuse-team escalation, SparkPost customer ID 340176 and the tr[.]krediblefunds[.]com cluster are reportable. ESP abuse teams act faster on operator-attributable signatures than on individual sender complaints.
• For consumer-protection partners, the harvested PII downstream chain (ping-tree resale into sub-prime and tribal-lender networks) is a documented FTC and CFPB enforcement target; coordinated reporting to those agencies has historical precedent for action against the lead-buying tier.

MITRE ATT&CK Mapping

| Tactic | Technique | ID | |---|---|---| | Resource Development | Acquire Infrastructure: Domains | T1583.001 | | Resource Development | Acquire Infrastructure: Server | T1583.004 | | Resource Development | Establish Accounts: Email Accounts | T1585.002 | | Initial Access | Phishing: Spearphishing Link | T1566.002 | | Defense Evasion | Impersonation | T1656 |

Indicators of Compromise

All indicators below are defanged. Recipient data has been removed.

Cohort Landing Hubs

| Domain | Role | |---|---| | krediblefunds[.]com | Hub — primary tracker via tr[.]krediblefunds[.]com | | fundriff[.]com | Hub | | fundyze[.]com | Hub | | fundsparkz[.]com | Hub | | fundsygo[.]com | Hub | | cashluma[.]com | Hub | | lendlyst[.]com | Hub | | lendlyfe[.]com | Hub | | mityfunds[.]com | Hub | | gimmelend[.]com | Hub | | lendiftyhub[.]com | Hub | | lendiftypro[.]com | Hub |

Sending-Only Spokes (CTAs Resolve to a Hub)

| Domain | Resolves To | |---|---| | fundflippr[.]com | krediblefunds | | thebetterlend[.]com | krediblefunds | | accountsclear[.]com | krediblefunds | | hereforfunds[.]com | fundyze | | enterhelps[.]com | krediblefunds | | lendylite[.]com | fundriff | | lendingwinter[.]com | fundyze | | brightbridgefund[.]com | fundriff + krediblefunds | | fasthelperpro[.]com | fundsygo | | lendingforfunds[.]com | lendlyfe |

Extended SES-Variant Sender Domains

| Domain | Pattern | |---|---| | weaveloans[.]com | Single-sender | | gimmeloans[.]com | Single-sender | | easyfundusa[.]com | Single-sender | | bpifunds[.]com | Single-sender | | zippyloaner[.]com | Single-sender | | zestpayloan[.]com | Single-sender | | hnfund[.]com | Single-sender | | smartfundsusa[.]com | Single-sender | | loanboostexpress[.]com | Single-sender | | onlysloan[.]com | Single-sender | | bwfloan[.]com | Single-sender | | firstworldloans[.]com | Single-sender | | skylinefundings[.]com | Single-sender | | fundhustle[.]com | Single-sender | | fundstrade[.]com | Single-sender | | happifundz[.]com | Burner-persona mail-merge | | gofundspros[.]com | Single-sender (delivered via SparkPost) | | directafunding[.]com | Single-sender (delivered via SparkPost) | | flashlendez[.]com | Burner-persona mail-merge | | lendnetworkusa[.]com | Single-sender | | lendaccesspro[.]com | Burner-persona mail-merge | | secureloannow[.]com | Single-sender | | expressfundin[.]com | Single-sender |

Infrastructure Identifiers

| Value | Role | |---|---| | armando.ns.cloudflare[.]com | Authoritative NS — cohort signature (Cloudflare) | | teagan.ns.cloudflare[.]com | Authoritative NS — cohort signature (Cloudflare) | | bounces-340176-{42,46,48}@spmailtechno[.]com | SparkPost VERP — customer/subaccount fingerprint | | post.spmailtechno[.]com | SparkPost click-tracker subdomain | | unsub.spmta[.]com, unsubscribe.spmta[.]com | SparkPost unsubscribe domains | | *@amazonses[.]com | SES return-path footprint | | tr[.]<hub>[.]com/l/<token> | Hub redirector subdomain pattern | | tr[.]<hub>[.]com/cv2/<token> | Hub redirector subdomain pattern (variant) |

Earlier-Variant Infrastructure (SendGrid Predecessor)

| Value | Role | |---|---| | bounces+...@sendgrid[.]net | SendGrid VERP — earlier ESP track | | training[.]mba | Earlier-variant tracker | | marketingreveal[.]com | Earlier-variant CTA + tracker |

SparkPost-Variant CTA / Redirect Domains

| Value | Role | |---|---| | simplemoneygoals[.]com | CTA redirect | | hoptheplanet[.]com | CTA redirect |

SparkPost-Variant Sender Pattern

Regex: ^[a-z]+\.[a-z]@[a-z]+(fund|budget|capital|pay|lend|loan|debt|tax|finance|wealth|vault|asset|credit|alert|smart|trust|pro|nexus|concept)[a-z]*\.(com|ai)$
Return-Path: bounces-340176-*@spmailtechno[.]com

Known SparkPost-Variant Sender Domains

alertfinnews[.]com, alertrequest[.]com, alfinta[.]com, aspirefundings[.]com, assetinstream[.]com, axyfinancialconcept[.]com, axyfunding[.]com, bluehavenfinance[.]com, borrowingnexus[.]com, brightfundstoday[.]com, brightwaveloans[.]com, buckheadfunds[.]com, budgetadirect[.]com, budgetfintech[.]com, budgetica[.]ai, budgetingquiz[.]com, budgetsmart[.]ai, cashadvancenexus[.]com, coinfusetech[.]com, confin[.]ai, connectfundings[.]com, connectingfunding[.]com, connectingfunds[.]com, connectwithfund[.]com, contracta[.]ai, daybridgefunding[.]com, debtfinancingnexus[.]com, didebta[.]com, directafunding[.]com, directlinkapp[.]com, elendsphere[.]com, enfinta[.]com, eprotocol[.]ai, ezalerts[.]ai, ezbudget[.]ai, ezfunda[.]com, ezsignal[.]ai, eztrust[.]ai, fastfinconcept[.]com, fastfundinguno[.]com, finatco[.]com, finderica[.]com, findirectica[.]com, finlogixconnect[.]com, finovapulse[.]com, finovoone[.]com, finprosalerts[.]com, finproshub[.]com, finpulsera[.]com, finrpro[.]com, finsummitpros[.]com, fintaxt[.]com, fintecafunds[.]com, fintka[.]com, fintriopros[.]com, finxtro[.]com, flowvesta[.]com, foterva[.]com, fundablex[.]com, fundingconceptpros[.]com, fundingdedicated[.]com, fundingdirecta[.]com, fundingintegra[.]com, fundinguno[.]com, fundlances[.]com, fundpulseapp[.]com, fundrequestpros[.]com, fundsforbudget[.]com, fundtronix[.]com, getfundsgoing[.]com, gofundspros[.]com, harvestbudget[.]com, icasefunds[.]com, icashorbit[.]com, icredifynow[.]com, ifinantica[.]com, inbudget[.]ai, inbudgetalerts[.]com, incansoft[.]com, incapitaldirect[.]com, incapitalica[.]com, incapitalpros[.]com, incapitalquest[.]com, incontract[.]ai, incredflow[.]com, indafunds[.]com, indifinanca[.]com, inequityspark[.]com, infinansa[.]com, infinbudget[.]com, infinpros[.]com, inflowvest[.]com, infundaconcept[.]com, infundingconnect[.]com, infundingprocess[.]com, infundpros[.]com, infunds[.]ai, infundspros[.]com, inmanfunding[.]com, innewsfinancial[.]com, innodebt[.]com, inodebta[.]com, inpaymentpros[.]com, inpayvantage[.]com, insmartbudget[.]com, installmentnexus[.]com, intaxpros[.]com, integrabudget[.]com, interrafund[.]com, ipayora[.]com, iping[.]ai, isafespend[.]com, isignal[.]ai, iswiftledger[.]com, itixat[.]com, lendahive[.]com, lendoratrust[.]com, lendorica[.]com, lendoriaone[.]com, linkfundinga[.]com, mailing.simplemoneygoals[.]com, maxconnecta[.]com, maxunderwriting[.]com, microloannexus[.]com, midtownfunds[.]com, monexaone[.]com, moneynesta[.]com, news.premiumtradingstrategy[.]com, nulafunds[.]com, nxtfina[.]com, payflowdirect[.]com, paynovatech[.]com, payprosmax[.]com, payventurehub[.]com, payversea[.]com, personalloannexus[.]com, primelendnow[.]com, prosfunds[.]com, prounderwrite[.]com, quickfinancialconcept[.]com, quickfinancialdepot[.]com, rapidalerta[.]com, rapidstarloans[.]com, reminding[.]ai, requestalerts[.]com, requestrapid[.]com, smartspending[.]ai, spendquiz[.]com, taxdirectly[.]com, taxethica[.]com, taxgo[.]ai, taxlocity[.]ai, thefundingpoints[.]com, thefundspros[.]com, titanfundingdirect[.]com, trueedgeloans[.]com, truewealthwp[.]com, trustaedge[.]com, trustorapay[.]com, turbolendnow[.]com, uplinx[.]ai, uptownbudget[.]com, vaultbridges[.]com, vaultedgepay[.]com, vaultiko[.]com, wealthapath[.]com, wealthgrida[.]com, wealthifypros[.]com, yourdigitaldigest[.]com, zippycashflow[.]com, zoominfinancial[.]com

Conclusion

Operators rotate sender addresses in days, sender domains in weeks, and ESP accounts in months. Authoritative-nameserver pair assignments and same-day registration cohorts rotate on the order of years, because rotating them costs the operator real time and re-validation work. For threat-intel teams chasing high-volume disposable infrastructure, the most useful pivots are usually the ones the operator did not realize they were exposing — and a Cloudflare NS pair shared across a dozen registration siblings is exactly that kind of pivot. Defenders who pair NS-pair watching with ESP customer-ID fingerprinting will keep up with this operator more cheaply than defenders who chase the daily sender churn.

Tags: phishing · scams · identity protection