2026-06-01: wealthtraders.co.in Brand Impersonation

A fraudulent website impersonated Wealthy’s SEBI brokerage to defraud retail investors; investigation, takedown reporting, and the wider fraud network.

Incident Summary

Classification

  • Type: External brand impersonation / phishing / investment fraud
  • Severity: High (brand & regulatory impact)
  • Wealthy systems/data compromised: No β€” only our brand and SEBI registration were misused
  • Date detected: June 1, 2026
  • Status: Reported to host + Google Safe Browsing; site stopped working the same day. Regulator reports prepared but not pursued (see Actions). Monitoring for resurfacing.

What Happened

A fraudulent website, wealthtraders.co.in, impersonated WealthyIN Broking Private Limited (brand Wealthy). It posed as a SEBI-regulated MCX/commodity trading platform and displayed Wealthy’s own regulatory identifiers β€” our SEBI stock-broker registration, CIN, depository-participant, and research-analyst numbers β€” to appear legitimate.

The site advertised returns and “success rates” that no SEBI-registered broker is permitted to promise, and operated a login/deposit portal that solicited deposits and KYC documents (PAN, Aadhaar, bank details) from the public.

Investigation showed the site was not an isolated case: it was one tenant in a larger fraud operation hosted on a single provider’s VPS, cloning dozens of real SEBI-registered brokers and research firms under a shared control domain.

Impact Assessment

Who was affected

  • Retail investors / the public β€” primarily non-technical, first-time investors who could not distinguish the fake from a licensed broker because it displayed Wealthy’s real SEBI number. Direct financial loss and KYC exposure.
  • Wealthy β€” reputational and regulatory risk from unauthorised use of its SEBI registration. No internal systems, accounts, or data were accessed.

Not affected

  • Wealthy’s infrastructure, applications, databases, and customer accounts β€” entirely uninvolved. This was impersonation, not intrusion.

Indicators / Findings

  • The fraudulent domain resolved to a shared VPS at a low-cost hosting provider, behind nginx with a CodeIgniter (PHP) application.
  • The TLS certificate was a free, auto-issued wildcard β€” no organisation validation.
  • Public registration records listed a self-declared registrant organisation (treated as unverified β€” see note below).
  • The certificate transparency logs exposed the operator’s control domain, which shared the same IP, nameservers, and registrant string as the fraudulent site β€” and whose certificate covered many other clone domains impersonating unrelated, legitimate brokers.

Attribution note: The registrant name in public WHOIS is self-declared and is not confirmed identity. It must not be publicly attributed to any individual. Verified identity can only come from the registrar or host under a legal/abuse request, or from law enforcement.

Investigation Method (repeatable)

The full repeatable runbook lives in the Brand Impersonation & Phishing Takedown SOP. In summary, all findings came from public OSINT β€” no access to attacker systems:

  1. DNS resolution β†’ hosting IP and provider (via nameservers).
  2. WHOIS on the domain β†’ registrar, abuse contact, registration age.
  3. WHOIS on the IP β†’ hosting provider and abuse contact.
  4. HTTP headers β†’ web-server and application stack fingerprint.
  5. Page content review β†’ the misused SEBI/CIN identifiers and prohibited return claims.
  6. Registry cross-check β†’ confirmed the displayed SEBI registration belongs to Wealthy (proves impersonation, not coincidence).
  7. TLS certificate transparency (the key pivot) β†’ certificate SAN entries leaked the operator’s control domain.
  8. Pivot on the control domain β†’ same IP + nameservers + registrant revealed the full network of clone sites.

Actions & Reporting

Completed

  • Hosting provider abuse report β€” sent. Reported the fraudulent site and the wider co-hosted network to the host’s abuse desk (the fastest takedown lever, since it is their server).
  • Google Safe Browsing β€” submitted. Reported the URL as social-engineering / financial phishing so browsers (Chrome/Android) flag it with a warning, protecting users at the browser/DNS level.

Outcome

  • The site stopped working the same day (web server unreachable on ports 80/443; DNS record still present).

Prepared but not pursued

  • SEBI and CERT-In notifications were drafted but not sent β€” judged unnecessary because the site had already stopped working. The drafts are retained and can be sent immediately if the site resurfaces or migrates to new infrastructure.
  • Registrar abuse and national cyber-crime reporting are likewise on standby for escalation if needed.

Status & Follow-up

  • Site unreachable as of detection; monitoring for resurfacing or migration to a new IP/domain.
  • If it returns, escalate using the retained drafts (registrar β†’ SEBI β†’ CERT-In β†’ cyber-crime) to force permanent takedown and operator identification.
  • Wider network of co-hosted clone domains documented for a potential consolidated regulator/law-enforcement case.

Lessons Learned

  1. Certificate transparency is a force-multiplier β€” a single crt.sh lookup turned one report into an entire-network discovery.
  2. Impersonation β‰  breach β€” classify and route these as external security incidents, not engineering RCAs and not data breaches; the response is takedown + browser blocklisting, not internal remediation.
  3. Match the response to the outcome β€” once the site was down, host + Safe Browsing reporting was sufficient; regulator escalation was held in reserve rather than filed reflexively.
  4. Never publicly attribute self-declared WHOIS identities to real individuals β€” defamation risk, and it weakens any real case.
  5. Brand monitoring gap β€” consider proactive detection (certificate-transparency and look-alike-domain monitoring for the Wealthy brand and SEBI number) to catch the next clone earlier.