Research Summary: The MetaChat Brand Impersonation Campaign
Date: April 2026
Source: PreCrime™ Labs
The rapid expansion of the AI economy has created a lucrative new playground for cybercriminals targeting high-value API assets. While most security providers focus on reactive cleanup, identifying the underlying infrastructure of campaigns that exploit legitimate brands like MetaChat, an AI aggregation platform, is the only way to stay ahead of automated fraud.
PreCrime™ Labs, the research division at BforeAI, analyzed an organized cluster of MetaChat Phishing domains, indicating clear clusters around AI-tools aggregating themes given the rapid adoption of an artificially intelligent ecosystem. MetaChat, being one of the platforms, currently offers access to over 30 AI models with one account, including but not limited to ChatGPT, Gemini, Claude, Nano Banana, Midjourney, Grok, DeepSeek and more. The researchers observed about 18 domains registered through free hosting platforms called “EgdeOne Pages”, that follow a specific pattern and indicators that can be leveraged for predictive analysis.
Preemptive Cybersecurity with PreCrime™
Get complimentary access to the Gartner report, Emerging Tech: Top Solution Capabilities in Preemptive Cybersecurity
Campaign Overview
All domains follow an identical, three-part naming convention, indicating an AI generated naming pattern where metachat-backend-[unique-identifier][.]edgeone[.]app remains constant.
Domain sample: | |
|---|---|
metachat-backend-if62u290lb[.]edgeone[.]app | metachat-backend-yn4cnu2etz[.]edgeone[.]app |
metachat-backend-5gn5au3y14[.]edgeone[.]app | metachat-backend-v8pnlnnyo4[.]edgeone[.]app |
metachat-backend-ynukmo4k92[.]edgeone[.]app | metachat-backend-ser6n3rjnv[.]edgeone[.]app |
metachat-backend-7xu9rj5xj5[.]edgeone[.]app | metachat-backend-oq0fzb7pnf[.]edgeone[.]app |
metachat-backend-epgm267qq0[.]edgeone[.]app | metachat-backend-c65ihm6bjp[.]edgeone[.]app |
metachat-backend-vrt61dvp7l[.]edgeone[.]app | metachat-backend-jprokzmy7e[.]edgeone[.]app |
metachat-backend-sldffok24j[.]edgeone[.]app | metachat-backend-t12cqxv8wg[.]edgeone[.]app |
metachat-backend-wbghkpz1pz[.]edgeone[.]app | metachat-backend-d4opjap57a[.]edgeone[.]app |
metachat-backend-7f11grgg2m[.]edgeone[.]app | metachat-backend-cmb5jjzgyo[.]edgeone[.]app |
Dataset and Methodology
The operators behind this infrastructure are spinning up impersonation infra on a regular cadence to harvest user credentials, API keys, and payments. These domains harvest credentials, steal user-supplied AI API keys, and run WeChat Pay “recharge” fraud with a two-tier referral/MLM layer.
The observed endpoints suggest the following likely data harvesting and abuse patterns:
- /user-register, /user-login: user credentials (email/username, passwords, possibly phone numbers)
- /user-api-key, /user-api-info: API keys, access tokens, account metadata
- /user-recharge, /orders, /chat/payment: payment details, transaction data, wallet balances (linked to WeChat Pay flows)
- /approval-token-withdraw: internal tokens, withdrawal authorization data, linked wallet/account identifiers
- /user-referees, SubAgentRefereeRechargePackage: referral network data, user IDs, commission structures, downstream victim mapping
EdgeOne Infrastructure Analysis: The Blueprint of AI Impersonation
The concentration of domains within a few registrars, combined with a long tail across others, suggests a semi-automated registration approach, where attackers prioritize ease of acquisition and cost efficiency while maintaining redundancy. This pattern is consistent with scalable phishing or malware campaigns leveraging bulk domain generation. Additionally, this was used for attacker reliance on scalable and easily disposable environments.
Predictive Analysis
Based on the above campaign, PreCrime Labs predicts that such campaigns can foresee a significant rise through different free hosting platforms, while following slightly similar naming convention. For example, another instance highlights a sponsored search result impersonating a legitimate AI tool (Claude Code) using a GitLab-hosted domain (claude-app-new[.]gitlab[.]io).
The placement above the official link suggests a malvertising-based initial access vector, where attackers exploit user intent and platform trust to drive clicks. Such infrastructure typically leverages trusted hosting services to appear credible while enabling credential harvesting, payload delivery, or trojanized downloads, reflecting a broader shift toward search engine manipulation as an entry point for cyber threats.
Related resource: How to Quantify the Value of Preemptive Security
Pattern Recognition for AI Phishing
Our research indicates that these campaigns follow a predictable three-part naming convention: metachat-backend-[unique-id].edgeone.app. Security teams should flag any new subdomains on free hosting providers that combine “backend” identifiers with AI-specific keywords. By identifying these structural indicators before they appear in sponsored search results, organizations can preemptively sinkhole these domains and neutralize the malvertising vector.
Impact
Credential Compromise and Account Takeover: Harvested credentials from /user-login and /user-register endpoints may lead to unauthorized access to user accounts, enabling further abuse and lateral compromise.
Data Exposure and Targeted Attacks: Collection of user data, account metadata, and behavioral patterns can facilitate spear-phishing, identity theft, and follow-on social engineering campaigns.
Scalable Threat with Rapid Infrastructure Rotation: The use of automated domain generation and cloud hosting enables continuous campaign expansion, increasing the likelihood of sustained user exposure and repeated exploitation.
API Key Theft and Service Abuse: Exposure of API keys and tokens can result in unauthorized consumption of AI services, financial losses due to usage charges, and potential resale of access on underground markets.
For example, given below is a screenshot where anonymous sellers on SEO and chat forums discuss actively selling discounted AI subscriptions (e.g., Claude, Cursor), aligning with broader patterns of unauthorized access resale observed in cybercrime ecosystems. While no direct attribution can be established, this activity provides contextual support to the identified campaign targeting AI users.
The phishing infrastructure observed in this campaign, designed to harvest credentials, API keys, and payment data can plausibly serve as an upstream source for such marketplaces. Stolen or fraudulently obtained access to AI services may be resold at lower costs, creating a monetization loop that connects phishing, data theft, and underground commerce.
How to Prevent AI Ecosystem Attacks: Preemptive Security Controls
User Recommendations
Enforce Multi-Factor Authentication (MFA) for all user accounts, especially developer and API-access roles
Monitor for unauthorized API usage spikes or anomalous access patterns across chat history.
Enhance account monitoring where financial transactions are involved, for example, unusual payment flows linked to third-party services (e.g., WeChat Pay).
It is encouraged to verify official domains before login or API submission.
Organizational Controls
From the dataset, PreCrime Labs identifies the following concrete indicator categories for preemptive security:
Tracking domains with keywords such as “metachat”, “ai”, “api”, “chat”, “gpt”, “key”, or in combinations that are suggestive of AI-aggregating applications created in the last 30 to 60 days can represent early stage infrastructure and should be scored higher for brand, fraud, and policy monitoring.
Thematic bundles: Clustering domains across common infrastructure, keyword consistency, or registration patterns are ideal candidates for graph-based clustering, sinkholing and pre-registration policy controls at registrars.
Financial strings: Finance-oriented keywords such as, “recharge”, “wallet”, “login” in a new registration, particularly on free hosting platforms or via high risk registrars, are likely precursors to fraud that target populations affected inclined towards AI applications.
FAQs
How do attackers steal AI API keys?
Attackers use phishing sites that mimic AI aggregators, prompting users to input their own API keys for “model access,” which are then harvested and resold.
What is EdgeOne phishing?
It refers to malicious actors hosting phishing pages on “EdgeOne Pages” to leverage the platform’s reputation and free hosting to bypass security filters.
How can I detect fake AI tools?
Look for suspicious naming patterns (e.g., metachat-backend-[random-string]) and verify that the domain matches the official provider’s documentation.
