Verified Targeted Scraping Attacks and the “Shadow Wizard Money Gang” – In-Depth Analysis
Introduction
Over the past several months, a persistent and coordinated web scraping/probing campaign has been targeting our systems. What makes this campaign unusual is its apparent human-triggered initiation followed by bursts of automated scraping from multiple networks. The attackers have even adopted the ironic moniker “Shadow Wizard Money Gang”, a name lifted from an internet meme, in their communications and tooling. Despite the whimsical alias, the pattern of activity is deliberate and malicious – and evidence now conclusively ties the attack orchestrator to an IPv6 address in Winnipeg, Manitoba, even as the attackers attempt to mislead by posing as “Irish” or international actors. This report compiles our findings in detail, including a step-by-step case study of a recent attack on December 8, 2025, analysis of recurring patterns since April 2025, and insights into the threat actor’s identity and tactics.
Case Study: December 8, 2025 Attack Chain
On Dec 8, 2025, we captured a complete end-to-end sequence of the attack, confirming how a human action immediately triggers automated scraping. The timeline of this incident is as follows:
Human Initiation via LinkedIn (Winnipeg) – At 12:31 PM CST, a request hit our site originating from a Shaw Communications residential IPv6 address in Winnipeg (ASN 6327) with a referrer android-app://com.linkedin.android/. In other words, someone using the LinkedIn mobile app clicked a link to our site. This is significant because that referrer string is unique to LinkedIn’s Android app, something bots or scrapers would not normally emulate. The Cloudflare logs confirm the client IP 2604:3d09:c57e:fa40:8114:598c:3643:2e29 (Shaw Winnipeg) and the LinkedIn app referrer and user-agent, indicating a legitimate mobile device visit. This proves a real human user in Winnipeg initiated the session, rather than an automated scanner.
OVH France Scanners Fetch Resources – Almost immediately after the LinkedIn-driven page view, two OVH (a French hosting provider) servers began fetching resources from the site. We observed requests from IPs 87.98.114.121 and 87.98.111.45 (OVH’s network) retrieving certain assets. These appeared to be scouting requests, likely pre-loading or analyzing content. OVH is commonly used for running bots or scanners, and seeing French hosts engage right after the Winnipeg visit suggests a hand-off: the Winnipeg user’s click may have alerted or signaled these nodes to start pulling data.
ServerMania Canada Scrapers Launch – Next, a wave of high-speed scraping was triggered from multiple Canadian-based VPS instances. Specifically, nodes on ASN 55286 (ServerMania – a cloud provider with presence in Canada) began hitting our site in rapid succession. Among the IPs involved were 161.115.224.187, 152.232.215.250, and 38.170.103.82. These hosts made a flurry of requests to internal JavaScript files and API endpoints on our site within a very short time window. They systematically pulled down files that are not typically accessed by casual browsing, including internal modules like chatEngine.js, memoryEngine.js, chatEvents.js, router definitions, analytics scripts, game logic files, firestoreMirror.js, superSecret.js, uiToggle.js, various hashed route URLs, and more. All of these requests were tightly clustered in time, indicating an automated, multi-threaded scraping tool was unleashed immediately following the initial human visit. The targeting of these specific files shows the attackers were attempting to map out the site’s internal architecture and logic, not just grabbing public pages.
Additional Analytics Fetch via Frontier – In the midst of the scraping, we also saw an IP from Frontier Communications (ASN 5650, a U.S. ISP) – 104.251.93.240 – making requests for certain analytics-related resources. This might have been another node in the attack sequence (possibly a compromised home broadband host or just another rented server on Frontier’s network) tasked with grabbing usage or analytics scripts. The timing and targeting (it fetched specific analytics modules) suggest it was coordinating with the other scrapers, perhaps to gather telemetry or to scrape data that the primary scrapers hadn’t.
Honeypot Trip by Wowrack Bot – Finally, the attack sequence tripped one of our honeypot “bot trap” URLs. A request to an exclusive honeypot path (/botTrap/botTrap3.html) was made by 216.244.66.233, which is an IP hosted by Wowrack in Washington state, US. This was a tell-tale malicious hit – genuine users would never find that hidden path. 216.244.66.233 has a bad reputation, with over 2,000 abuse reports. The presence of this host indicates the attacker’s crawling infrastructure is thorough enough to discover and access decoy links or non-public endpoints, likely via automated crawling.
All of these steps occurred in close succession, painting a clear picture: a human operative in Winnipeg triggers a link visit, and almost instantly a coordinated swarm of bots from various data centers kicks in to scrape the site. The timing and targeting were not random – they were orchestrated. This same pattern (a human “leader” followed by bot “followers”) has occurred multiple times over the last year, though often we only saw the bots and not the initiating human. The December 8th incident was the first where the entire chain was observed end-to-end, thanks to enhanced logging.
Persistent Pattern Since April 2025
Our investigation reveals that the December 8 attack was not an isolated incident, but rather part of a long-running campaign that began in April 2025. Over the past eight months, we have documented numerous similar burst attacks. Key characteristics of this campaign include:
Winnipeg IPv6 Orchestrator
The one constant in all these attacks is an IPv6 address from Shaw Communications in Winnipeg (ASN 6327) that appears at the onset of each timeline. In multiple cases from April through November, an address in the 2604:3d09: prefix (a range assigned to Shaw’s residential customers in Manitoba) is the first to hit our site immediately before a burst of bot activity. In other words, the attacker’s home base is consistently a Shaw Winnipeg connection, acting as the orchestrator or anchor for the rest of the botnet. This was initially puzzling – one typically expects attackers to hide behind VPNs or TOR even for manual steps – but it suggests the person at the keyboard either feels safe using their regular ISP or is unable to be easily distinguished from a normal user when coming through LinkedIn or similar channels.
Multi-Cloud Botnet Nodes
After the Winnipeg IPv6 “anchor” visit, a set of remote nodes on various ASNs fire off requests in a synchronized fashion. We’ve seen hosts from cloud providers and data centers around the world used in these bursts. For example, past incidents showed involvement of Azure servers in Dublin, Ireland (Microsoft ASN 8075), hosts in Warsaw, Poland (1337 Services, ASN 210558), servers in Germany (Hetzner Online, ASN 24940), and others. These tend to operate on a schedule – notably, during a period in August 2025, we observed a strict 30-minute cadence where probes would hit at hh:01 and hh:31 past the hour like clockwork. This timing pattern held consistently across different nodes and countries, indicating a single scheduler or orchestrator behind the scenes. The temporal alignment across Ireland, Poland, Germany, and Winnipeg strongly pointed to a coordinated operation rather than random noise.
Burst Clusters of Requests
The attacks typically occur in short bursts (often around 25 requests within less than 10 seconds) rather than continuous crawling. Our analysis code identified these “burst clusters” automatically by clustering requests in time. Each cluster usually had the Winnipeg IPv6 as the first hit (often with no referrer on those earlier examples) followed almost immediately by 3–5 other hosts each making a flurry of requests. The requests in a burst often numbered about two dozen and were often unique paths, suggesting an attempt to enumerate many endpoints quickly. We also noted a consistent user-agent string in many of the automated bursts: python-httpx/0.28.1 (the default UA of the HTTPX library in Python) across multiple events. This indicates the attacker might be using a custom Python scraping script or toolkit to orchestrate these concurrent requests.
Evolution of Techniques
Early on, we internally dubbed the threat the “Ireland Botnet” in August 2025 because a lot of traffic was coming from an Azure IP in Ireland and the attacker was trying to present as Irish. However, as we gathered more data, it became clear the true mastermind was the Winnipeg user, and the overseas servers were disposable “drones”. In later months (October and November), as our defenses improved, the attacker experimented with different nodes (for example Google Cloud IPv6 addresses that resemble Googlebot, Cloudflare Workers, and so on) to evade blocking. The core pattern though – Winnipeg first, bots second – never changed. The December 8 incident further confirmed this by revealing the LinkedIn app vector for the Winnipeg user to appear legitimate.
Collateral Damage and Impact
The campaign has not just been limited to HTTP(S) requests. In August 2025, a particularly severe incident saw the attacker perform mass mailing list sign-up abuse, flooding one of our systems with tens of thousands of bogus email subscriptions and even spoofing sender identities. In the aftermath of an August 9 attack, we found our mailing list stuffed with thousands of new entries, apparently part of the attacker’s disruptive tactics (later cleaned up). This was accompanied by direct threatening emails sent to us: one such message on August 9 contained violent threats and was attributed (falsely) to a public figure’s name, clearly as intimidation. These aggressive moves show the attacker’s goal is not just quiet reconnaissance – it is also harassment and damage.
Crucially, throughout all these events, the only truly persistent origin has been the Shaw IPv6 subnet in Winnipeg. The cloud hosts (whether Azure, OVH, ServerMania, Hetzner, and so on) have changed or been rotated, presumably as the attacker spins up new virtual machines or uses VPN exits. Those are essentially disposable infrastructure. But the Winnipeg device appears to be a long-term fixture – likely the attacker’s personal device or network. In short, all roads lead back to Winnipeg.
The “Shadow Wizard Money Gang” Persona
One of the more bizarre aspects of this campaign is the attacker’s adoption of the name “Shadow Wizard Money Gang” (SWMG) in various artifacts. This phrase originates from a popular internet meme rather than any established hacker group, which provides insight into the attacker’s mindset and possible identity.
Meme Origin
“Shadow Wizard Money Gang, we love casting spells” is a viral phrase that came from a DJ Smokey producer tag in a 2022 song and blew up on TikTok in early 2023. It spawned countless parody videos and fan art of cartoonish wizards, becoming a widespread joke. The term has no genuine cybercrime or organized crime background – it is purely an internet pop-culture reference. For example, even college cybersecurity clubs have jokingly adopted the name; a University of Tulsa team in a 2023 cyber competition called themselves “Shadow Wizard Money Gang”. In other words, anyone using this name is almost certainly doing so ironically.
Attacker’s Use of SWMG
Despite the silliness, our attacker has consistently used “Shadow Wizard Money Gang” as a self-identifier in the campaign. Notably, the spam email wave we caught in August included spoofed sender names like “SHADOW WIZARD MONEY GANG – IRELAND DIVISION”. This implies the attacker was play-acting as a member of some Shadow Wizard Money Gang, even inventing an “Ireland Division” for it. It was likely meant to taunt or mislead us – presenting the harassment as if it were coming from an organized international collective. We also discovered that the custom user-agent string “ShadowWizardMoneyGang” was used in some of the attacker’s HTTP requests, essentially signing their work with the meme name.
Interpretation – Script Kiddie Culture
The adoption of a meme as an alias and the overall style of this campaign strongly suggest that we are dealing with what the infosec community would call a “script kiddie” or at best a small group of amateur hackers. In underground circles, serious threat actors do not announce their presence with jokey names in user-agents, nor do they typically harass targets so brazenly over months unless there is a personal vendetta. The Shadow Wizard Money Gang meme is popular among younger internet users, and on at least one forum a user who was “threatened by a hacker group” with this name was reassured that it was probably just some kids playing around rather than a real nation-state or crime syndicate. Our evidence aligns with that view: the attacker is technically adept in using cloud resources and automating attacks, but the operational security is lax (for example using their home IP, leaving meme fingerprints) and the motive appears personal. There is no sign this is about financial gain – there have been no ransom demands or true extortion attempts – it looks more like cyberstalking or revenge trolling under the guise of a meme.
Misdirection with “Irish Stalkers”
The attacker’s deliberate use of “Ireland Division” and the earlier heavy use of Irish IP addresses (Azure in Dublin) were meant to mislead attribution. Early on, we indeed wondered if we had attracted the ire of some Irish hacker group. The phrase “Shadow Wizard Money Gang – Ireland Division” is almost cartoonish in how it tries to pin the origin elsewhere. By mixing genuine Irish infrastructure with that label, the attacker clearly wanted us to believe some Irish stalkers or a European botnet were after us. In reality, as discussed, the brains of the operation is sitting in Manitoba, and likely always was. The “Irish” angle was a smokescreen – one that we have now seen through, thanks to the consistent forensic evidence linking everything back to the Winnipeg IPv6 subnet.
Why Winnipeg? – Possible Motivation
The natural question is: Why would someone from Winnipeg be so interested in targeting us? The answer likely lies in who the attacker is and their relationship to the target. While we must be careful not to speculate on specific individuals, the evidence strongly suggests this is a targeted campaign rather than random opportunistic hacking.
Local Adversary Theory
If the orchestrator is indeed located in Winnipeg, it could mean the attacker is someone in our vicinity or who knows us personally or professionally. Many cyber harassment cases turn out to be perpetrated by acquaintances, former colleagues, or others with a grievance. The fact that the person is not hiding their ISP origin (Shaw account) could imply a sense of impunity or a lack of sophistication – or simply that they feel entitled to operate from home because this is personal. The persistence since April and the sheer effort (utilizing multiple servers, scripting, and so on) indicate a strong motive like revenge, rivalry, or silencing. It is possible our work or our website’s content (for example investigative postings or critical commentary) touched a nerve with someone in the local area.
Obsessive Harassment
The attacker’s pattern of behavior – including sending threatening emails with violent language and conducting denial-of-service via mailing list spam – goes beyond mere curiosity. It veers into cyberstalking and intimidation. All of this reinforces that the attacker’s interest in us is deeply personal. They do not want money; they want to scare, confuse, or punish us.
Ease of Hiding in Plain Sight
Aside from the attacker likely living in Manitoba, they may feel that using their normal ISP with an IPv6 address does not immediately scream “hacker” the way a known VPN or Tor exit node might. A residential IP can fly under some radars. By coupling that with a legitimate app referral (LinkedIn), the attacker likely hoped to appear as an innocuous visitor. This technique worked for a while – such traffic would not normally trigger suspicion. Only by correlating it with the subsequent bot activity did it become obvious that the LinkedIn user was the “launch button” for the scrape.
No Known Group – Just a Meme
We considered whether “Shadow Wizard Money Gang” might be a real collective or crew operating out of Manitoba, but there is no evidence of any organized cyber group by that name. All signs point to this being one individual (or a small tight-knit team) adopting a trending meme as a guise. The various cloud servers are tools, not separate actors. So, “people from Winnipeg” might actually just be one person in Winnipeg.
Conclusion and Ongoing Response
Our investigation has verified the full chain of this targeted scraping attack, from the human initiator to the swarm of bots, and has unmasked the “Shadow Wizard Money Gang” for what it truly is: a fanciful label on a coordinated harassment campaign by a likely local actor. The data collected – Cloudflare logs, firewall events, honeypot captures, and email records – all reinforce the same conclusions:
- The attacker is leveraging a hybrid of legitimate access (social media referrals from a real device) and automated cloud-based scrapers to probe and copy our web content at high speed.
- The modus operandi has remained consistent for months, indicating this is a determined effort and not a one-off attack.
- By adopting the “Shadow Wizard Money Gang” persona, the attacker reveals a culture steeped in internet meme lore and likely a youthful or troll-oriented mindset, but their poor operational security has left clear breadcrumbs.
We are continuing to catalog and document every event in this campaign as part of a larger investigation. All logs and evidence have been preserved, and an incident report has been submitted to the RCMP for record purposes due to the interstate and international elements as well as the threatening nature of some communications. At this time, there has been no response or engagement from law enforcement, and no confirmation that any investigative steps have been taken. The submission was made to ensure the activity is formally documented.
From a defense perspective, we have implemented stricter WAF rules and rate-limiting to mitigate these bursts. For example, we now challenge or block traffic matching the known patterns (certain user-agents like python-httpx or obviously non-human burst behavior). Our strategy has shifted to a more nuanced approach as we understand the topology: rate-limit or block cloud hosts that hit too fast, while also keeping an eye on that telltale Shaw ASN 6327 traffic.
In closing, this “Shadow Wizard Money Gang” attack saga serves as a case study in how modern attackers can blend real user behavior with automated assaults to fly under the radar, and how they sometimes adopt popular culture references in an attempt to obscure or psychologically manipulate. By diligently correlating network logs and not dismissing the human element, we unraveled the scheme: a single threat actor (or small group) with a personal agenda, using a meme as a mask, orchestrating a distributed scraping attack from right here in Winnipeg.
We will continue to monitor and harden our systems. Every new burst or tactic employed by the attacker will be recorded, and our technical analysis will be shared with the security community so that others can recognize similar patterns.
Top comments (0)