Chain 5
Desktop Domain Redirection for lagerfeuer.net
Introduction
Tracked: Thursday, 05 March 2026 · 20:00–21:00 CET · Desktop browser simulation
Chain 5 uses the same pushub.net → beedirect.vip pipeline as Chains 2 and 4, but the beedirect.vip offer parameters resolve to a different campaign: the "Krypto Reserve" landing page on nachrichtenanalyse-online.click rather than the Merz/Chrupalla political content. This demonstrates that beedirect.vip operates a dynamic offer rotation - the same distribution hub selects different disinformation campaigns based on real-time bidding parameters. The domain nachrichtenanalyse-online.click is thus a multi-campaign disinformation platform, serving both political and financial fraud content from the same infrastructure.
Overview of the Domain Redirections
| # | Status Code | IP | URL | Redirect Type | Notes |
|---|---|---|---|---|---|
| 1 | 302 | 173.239.53.32 | temporary | - | |
| 2 | 302 | 2600:9000:2017:c000:15:545f:c980:93a1 | temporary | - | |
| 3 | 200 | 2606:4700:3032::6815:1016 | none | Final Destination – Krypto Reserve campaign |
Pictures of the Final Page
AI Analysis
AI Security Analysis
Automated threat assessment · claude-sonnet-4-6
Chain 5 reveals that nachrichtenanalyse-online.click is not a single-campaign disinformation page but a multi-campaign fraud platform. The same domain that serves the Merz/Chrupalla political disinformation in Chains 2 and 4 now delivers a "Krypto Reserve" financial fraud landing page - a fake cryptocurrency investment scheme.
Financial fraud of this nature poses the most direct and quantifiable risk to internet users in this dataset. Cryptocurrency scam pages typically use fake celebrity endorsements, artificial urgency, and fabricated investment returns to extract initial deposits, after which victims are pressured for additional funds and ultimately unable to withdraw. Average reported losses in such schemes in Germany run to several thousand euros per victim.
The reuse of the same domain for both political disinformation and financial fraud strongly suggests a single criminal actor operating across multiple fraud verticals simultaneously. This convergence - using the same infrastructure for influence operations and direct financial crime - is a significant escalation pattern that warrants law enforcement attention beyond standard advertising abuse reporting.
Original Data from Redirect Path
Status Code URL IP Page Type Redirect Type Redirect URL
302 https://xml-v4.pushub.net/click2?i=KcCDL4uOgLE_0&ci=4452604377032219557&j=rv%3Db%26ss%3D2048x1152%26ws%3D2007x962%26wp%3D0x0%26ce%3D1%26ck%3Djc%26cv%3D8782%26cs%3D1%26fr%3D0%26hc%3D0%26fl%3Dnull%26jv%3Dnull%26sc%3D24%26hr%3D3%26rf%3Dfilter.leoyard.com%26lo%3Dlive.pornamigo.com%26mb%3D0%26hb%3D0%26pl%3DLinux%2Bx86_64%26ua%3DMozilla%252F5.0%2B%28X11%253B%2BLinux%2Bx86_64%29%2BAppleWebKit%252F537.36%2B%28KHTML%252C%2Blike%2BGecko%29%2BChrome%252F144.0.0.0%2BSafari%252F537.36%26nd%3D0%26to%3Dnull%26wbd%3D1%26wbde%3D0%26sqm%3D0%26phj%3D0%26nmj%3D0%26sln%3D0%26es%3D0%26ln%3Dde-DE%252Cde%252Cen-US%252Cen%252Cru%26lnl%3D5%26hsc%3D1%26frc%3D1%26dbt%3D0%26prb%3D20030107%26tz%3D-60%26hid%3D0%26mq%3D1%26my%3D8%26geo%3D1%26thx%3D0%26the%3D0%26ths%3D0%26cpc%3D%26ocp%3D%26hwc%3D12%26hrl%3D%26acd%3Dpppmp%26vcd%3Dnpp%26pal%3D5%26pai%3D1%26pli%3D1%26win%3D2007x962%26wout%3D2048x1080%26wpof%3D0x0%26bcld%3D1976x18%26scrp%3D0x0%26scrad%3D2048x1152%26spd%3D24%26pxr%3D1.25%26sck%3D1%26ckl%3D53%26sls%3D1%26sss%3D1%26six%3D1%26sdb%3D0%26vvr%3DGoogle%2BInc.%2B%28AMD%29%26vrd%3DANGLE%2B%28AMD%252C%2BAMD%2BRadeon%2BGraphics%2B%28radeonsi%2Brenoir%2BACO%29%252C%2BOpenGL%2BES%2B3.2%29%26cnvs%3D7f7f7f80%26pnt%3Dprompt%26bch%3D1%26blv%3D1%26mmd_ao%3D1%26mmd_ai%3D1%26mmd_vi%3D0 173.239.53.32 server_redirect temporary https://beedirect.vip/472bd99f-65d0-4b90-9181-567124d140cb?pubfeed_subid=1016057_236836&offer=3459802&banner=7342011&campaign=1903873&pubfeed=1016057&subid=236836&bid=0.0036&clickid=PcrUFwpa26U
302 https://beedirect.vip/472bd99f-65d0-4b90-9181-567124d140cb?pubfeed_subid=1016057_236836&offer=3459802&banner=7342011&campaign=1903873&pubfeed=1016057&subid=236836&bid=0.0036&clickid=PcrUFwpa26U 2600:9000:2017:c000:15:545f:c980:93a1 server_redirect temporary https://nachrichtenanalyse-online.click/c/de/48_krypto_reserve/?method=pop®form=1&on=Krypto%20Reserve&icid=whmqmpja0cf15oogjdqo87ba&traff=ee903878-3dd9-4e7f-a44a-09a84f313c34&cmp=472bd99f-65d0-4b90-9181-567124d140cb&state
200 https://nachrichtenanalyse-online.click/c/de/48_krypto_reserve/?method=pop®form=1&on=Krypto%20Reserve&icid=whmqmpja0cf15oogjdqo87ba&traff=ee903878-3dd9-4e7f-a44a-09a84f313c34&cmp=472bd99f-65d0-4b90-9181-567124d140cb&state 2606:4700:3032::6815:1016 normal none none