Serious Discussion Habbo phishing scam, infostealer possibility, could someonen do research of this?

Moonhorse

Moonhorse

Level 39
Thread author
Verified
Top Poster
Content Creator
Well-known
Forum Veteran
May 29, 2018
2,896
1
16,242
3,780
32
Finland
1769419205504.png

Got gift from random person and it seems its not staff account at all. but when i enter site habbouusivuosi.com it gives me site like this:
1769419280188.png


You can pretty much type any account name there, that is registered on habbo and everyone is rewarded for first reward ( costs like 45 eur)
After this it asks me to connect my metamask to receive gift.

My question is : is it possible to steal from crypto wallet throught browser, without installing third party app or extension?

this is pretty suspicious but since im buying/selling nft for real money in this game, and earn alot money by owning nft avatars i was curious is this real.

Domain is newly registered domain and it seems its a scam

TLDR: could someone go more far than i went and see what happenns if you go deeper here and do they ask you to install infostealer or something?
 
  • Like
Reactions: piquiteco, Miravi, Khushal and 2 others
Moonhorse said:
View attachment 294995
Got gift from random person and it seems its not staff account at all. but when i enter site habbouusivuosi.com it gives me site like this:
View attachment 294996

You can pretty much type any account name there, that is registered on habbo and everyone is rewarded for first reward ( costs like 45 eur)
After this it asks me to connect my metamask to receive gift.

My question is : is it possible to steal from crypto wallet throught browser, without installing third party app or extension?

this is pretty suspicious but since im buying/selling nft for real money in this game, and earn alot money by owning nft avatars i was curious is this real.

Domain is newly registered domain and it seems its a scam

TLDR: could someone go more far than i went and see what happenns if you go deeper here and do they ask you to install infostealer or something?
Click to expand...
Yes — it’s possible to lose crypto (especially NFTs / tokens) “through the browser” without installing anything new, even if your PC is otherwise clean.

How wallet draining works without installing malware

1) Malicious transaction / approval (most common)
“Connect wallet” by itself usually only shares your public address. The real danger is what the site asks you to sign next:

  • Token/NFT approvals (e.g., “approve”, “setApprovalForAll”, “permit”): this can grant the attacker ongoing permission to transfer your tokens/NFTs out later.
  • Blind signing: many users approve something they can’t easily read, especially on EVM chains.
  • Signature-based scams: even a “sign message to verify/claim” can be used in certain flows to authorize actions (depending on dApp design), and it also normalizes signing prompts so the next prompt is a real approval/tx.

If you sign an approval/permit, they can drain assets later from your wallet address without any further prompts.

2) Seed phrase / key phishing
Some scam pages eventually show a fake “MetaMask connection error” and then ask you to “restore” by entering your seed phrase/private key. If you enter it, the wallet is effectively compromised.

3) Fake wallet install prompt
They may push you to install a “MetaMask update”, “special connector”, or APK/EXE. That’s classic info-stealer territory, but they often don’t even need to go that far if they can get approvals.

4) Browser/extension exploit (rare, but possible)
A real drive-by exploit is much less common than the 3 items above. Most “wallet drains” are not technical exploits — they’re consent/authorization abuse (approvals/permits) or straight phishing.

About your specific case (Habbo reward + newly registered domain + MetaMask)
What you described matches a very typical “free reward / limited claim” crypto-phishing pattern. A newly registered domain is a strong red flag, and “everyone is rewarded” + “connect MetaMask to receive gift” is exactly how wallet drain campaigns operate.

About “going deeper” to see what happens
I can’t safely “interact” with a potentially malicious site on your behalf, and you shouldn’t either from a wallet/device that matters. If you want to analyze it safely, these are low-risk options:

  • Submit the URL to multi-scanners / sandboxes (no wallet interaction): VirusTotal and URL and website scanner - urlscan.io
  • Check domain age/WHOIS and hosting details.
  • If you must test behavior, do it in an isolated VM + a separate browser profile with a brand-new “burner” wallet that has zero funds and no valuable NFTs — and still avoid signing approvals/transactions.

If you already clicked “connect” or signed something
  • In MetaMask, review “Connected sites” and disconnect anything suspicious.
  • Revoke approvals for the affected chain(s): Revoke Your Token Approvals on Over 100 Networks | Revoke.cash
  • If you signed approvals and you have valuable assets, move them to a fresh wallet you fully control (new seed), because approvals can persist.

Conclusion
Yes, they can steal assets without you installing anything — the usual method is tricking you into signing an approval/permit/transaction. Treat this as a scam, don’t connect/sign from your real wallet, and use URL scanning + approval revocation as your next steps.
 
  • Hundred Points
Reactions: Moonhorse
Jonny Quest said:
"At the hotel"
Click to expand...
I was wondering about the lingo myself, so I looked it up and it appeared to be a Habbo thing. Probably, like, a community of Habbos is called a hotel.

OP is a forum vet. It's a wonder he didn't run away at the first two signs (not an official account, new domain). Now, just imagine the less-informed gamers.
 
  • Hundred Points
  • Like
  • +Reputation
Reactions: oldschool, piquiteco, Khushal and 2 others
The reported site habbouusivuosi[.]com exhibits multiple high-confidence indicators of malicious intent.

Credential/Seed Phrase Phishing
The most critical observation is that the site explicitly requests the user's 12-word recovery phrase (seed phrase). Under no legitimate circumstances will a decentralized application (dApp) or service require your seed phrase to "connect" or receive rewards. This is a direct violation of standard security practices defined in NIST SP 800-63B.

Social Engineering Lure
The attacker uses a "free gift" or "reward" valued at approximately 45 EUR to create a sense of urgency. This matches the "Reward/Prize" lure category frequently documented by SANS.

Wallet Draining via Approvals
Even without a seed phrase, simply "connecting" a wallet and signing a transaction can lead to total asset loss. Attackers use malicious setApprovalForAll or permit signatures to grant themselves permission to transfer your tokens/NFTs at a later time.

Domain Indicators
The domain habbouusivuosi[.]com is newly registered, a common indicator of a "disposable" phishing infrastructure designed to evade reputation-based filters.

Recommendation / Remediation​

If you or anyone you know has interacted with this site, perform the following steps immediately.

Cease All Interaction
Close the browser tab and do not revisit the site.

Asset Triage (If Seed Phrase was Entered)
If you provided your 12-word phrase, the wallet is compromised. You must immediately create a completely new wallet (with a new seed phrase) and attempt to move any remaining assets to the new address. Do not use the old wallet again.

Revoke Approvals (If Wallet was Connected)
If you connected your wallet but did not give the seed phrase, you may have signed a malicious approval. Use a trusted tool like revoke[.]cash to check for and revoke any permissions granted to unknown contracts.

Disconnect Site
In your MetaMask settings, go to "Connected Sites" and manually remove any entry related to the suspicious domain.

Browser Cleanup
Clear your browser cache and cookies to ensure no session-based tracking remains.

References​

NIST SP 800-63B
(Digital Identity Guidelines)

SANS Security Awareness
Phishing

MITRE ATT&CK
T1566 (Phishing)
T1566.002 (Spearphishing Link)

This analysis reflects current threat intelligence as of January 26, 2026.
 
  • Like
  • Hundred Points
Reactions: Wrecker4923, Zero Knowledge, oldschool and 3 others
Wrecker4923 said:
I was wondering about the lingo myself, so I looked it up and it appeared to be a Habbo thing. Probably, like, a community of Habbos is called a hotel.

OP is a forum vet. It's a wonder he didn't run away at the first two signs (not an official account, new domain). Now, just imagine the less-informed gamers.
Click to expand...
And looking at the image seen in Moonhorse post, it looks like it could be a hotel :)
 
  • Like
  • HaHa
Reactions: Wrecker4923, piquiteco, Khushal and 1 other person
Assessing a website’s risk requires looking beyond its technical infrastructure. While SSL certificates and domain standing are baseline requirements, they don't account for behavioral intent. A site’s true risk profile is defined by its reputation and the underlying purpose of its content, rather than just its digital footprint.
 
  • Like
Reactions: oldschool, piquiteco, Khushal and 1 other person
Divergent said:
Assessing a website’s risk requires looking beyond its technical infrastructure. While SSL certificates and domain standing are baseline requirements, they don't account for behavioral intent. A site’s true risk profile is defined by its reputation and the underlying purpose of its content, rather than just its digital footprint.
Click to expand...
Like, do I know this website from my past history with it, or is this a new site I've landed on, and what's it asking me to do, or to enter into what pop-up window? No thanks, I'm outta there.
 
  • Like
Reactions: oldschool, piquiteco and Khushal
Jonny Quest said:
Like, do I know this website from my past history with it, or is this a new site I've landed on, and what's it asking me to do, or to enter into what pop-up window? No thanks, I'm outta there.
Click to expand...
Exactly. You’re touching on behavioral analysis. A site can have a valid security certificate and a 'clean' domain, but if it immediately hits you with suspicious pop-ups or asks for sensitive info out of nowhere, its intent is clearly malicious. Technical stats tell us if a site is 'official,' but behavior tells us if it's dangerous.
 
  • Like
  • Hundred Points
Reactions: oldschool, piquiteco, Khushal and 1 other person
Sorry guys, i meant '' habbo hotel'' by word hotel. Its habbo/habbo hotel in slang.

Sure i did rush with this topic ( thanks to adhd brain) , posting it here and noticing it that there isnt any files on this site like stealer of some kind. Its just typical ''type your info'' phishing, no clue whats the correct word for that.

Even the habbo hotel is just old kids game, there are adults being still using it by nostalgic reasons and the phishing campaign is to steal possible cryptos/nft on wallet + in-game items that are worth thousands of euros. there are some whales with big bank accounts making off money from those nfts legal way, as its intended.

Similar phishing sites to steal credentials is used for runescape, and those sites are often flagged fast. Whats the reason for antivirus to block site is? What are the other 'red flags' than just NRD

and the person who flagged it '' by community'' on vt was me

Edit: even im ''forum veteran'' im not that advanced in it tech, there are all kind of people here. So called beginners and experts and all are wellcome in my opinion :coffee::coffee::)
 
Last edited:
  • Like
  • +Reputation
  • Hundred Points
Reactions: Khushal, oldschool, piquiteco and 2 others
Moonhorse said:
TLDR: could someone go more far than i went and see what happenns if you go deeper here and do they ask you to install infostealer or something?
Click to expand...
In my browser, it doesn't even open, as it is immediately blocked by Symantec Browser Protection. Ignoring this and continuing, the site is blocked by Kaspersky immediately afterwards. ;)
1769458134797.png

1769458291708.png
 
  • Like
Reactions: Khushal, oldschool and Miravi

You may also like...