GOVERNMENT ADVISORY

India MHA warns: buepux.com Trust Wallet drainer targeting BNB users (2026)

A retail crypto holder in Pune opens Binance P2P to sell USDT.

SB

SafeBrowz Team Security ResearchJune 1, 202611 min read

Bottom Line First

If anyone on WhatsApp ever sends you a "BNB Chain Verification" link, including buepux.com or any close variant, do not connect your wallet. Trust Wallet does not require external verification. BNB Chain does not require external verification. The third signature on that page is a drainer authority, not a check. The Indian government issued advisory TAU/ADV/013 specifically because this kit is still actively draining Indian retail crypto holders as of June 2026.

The India MHA advisory in 90 seconds

The Ministry of Home Affairs runs India's cyber response through the Indian Cybercrime Coordination Centre (I4C), the same body that operates the 1930 cybercrime helpline and the cybercrime.gov.in portal. Both sit under the Threat Analytical Unit, which publishes "TAU/ADV" advisories when a campaign is large enough to cross multiple states and multiple banks.

Advisory TAU/ADV/013, issued in late April 2026, is the one currently flagging the Trust Wallet drainer campaign. The advisory describes a coordinated social-engineering chain that begins on legitimate P2P exchange platforms, pivots conversations to WhatsApp, and ends on a fake "BNB Chain Verification" page where the victim signs away custody of their tokens. CryptoTimes, FinanceFeeds, and Bitget News all carried summaries of the advisory in April and early May.

Why the Indian government is involved is straightforward. Crypto draining hits Indian retail holders disproportionately because India has one of the world's largest active P2P trader populations, and because the Reserve Bank of India and SEBI have no formal recovery channel for self-custody wallet losses. When INR is involved (the victims often sell USDT for INR through bank transfer or UPI), it becomes a 420 cheating case under the Indian Penal Code, and that pulls in state police and I4C jointly.

PhishDestroy threat intelligence added buepux.com to its public drainer index on May 3, 2026. The domain is still resolving and still hosting the kit at the time this post is published.

Step-by-step: how the buepux.com drain happens

The reason this campaign keeps working is that it does not feel like crypto phishing. It feels like ordinary P2P friction. Here is the full sequence as documented in the advisory and corroborated by the public threat reports.

Step 1: The P2P contact

The victim is selling USDT, USDC, or BNB on Binance P2P, OKX P2P, or Bybit P2P. A buyer appears with a slightly above-market rate. Two percent over spot is the most common offer. The buyer's account is usually a few months old with a small but real trade history, which clears the gut check.

Step 2: The WhatsApp pivot

Within the first two or three messages on the P2P platform, the buyer says something like "this chat is slow, can we move to WhatsApp for faster KYC and INR proof." This is the single most important red flag in the entire kit. Every legitimate P2P platform forbids off-platform communication because it voids buyer-and-seller protection. Once the chat leaves the exchange, the recorded escrow trail is gone.

Step 3: The fake "BNB Chain Verification" request

After a couple of polite messages on WhatsApp, the buyer sends a link. It is framed as "before I release the INR I just need you to verify your wallet on the BNB Chain side, our compliance team flagged a duplicate signature." The link is buepux.com or one of its sibling domains. The pretext changes weekly: sometimes it is "Trust Wallet sync issue," sometimes "BNB Chain node verification," sometimes "Binance KYC layer two."

Step 4: The page that looks exactly like Trust Wallet

buepux.com loads the Trust Wallet shield in the right purple, the BNB Chain yellow accent, the rounded card layout, the "Connect Wallet" button in the right spot. The fonts are correct because the kit pulls them from Google Fonts. The favicon is the Trust Wallet shield. None of this is hard for an attacker to clone, and they have had years of practice.

Step 5: Connect wallet

The user clicks Connect. WalletConnect opens, or MetaMask injects, or Trust Wallet's dApp browser bridges in. The page now has the victim's address and chain, and importantly, the victim now sees the legitimate wallet UI on top of the malicious site. That UI looks correct because it is correct. The wallet itself is genuine. Only the page asking it for signatures is hostile.

Step 6: The first approval

A signature request appears. It is usually a cheap, low-suspicion request. Often it is a personal_sign asking the user to "verify wallet ownership" with a short message string. Some variants ask for an approve() of a token the victim does not even hold a large amount of, like a stablecoin balance under five dollars. Either way, the first prompt is designed to feel routine. The user signs.

Step 7: The second approval

A second signature pops. Same pattern. Maybe a low-value token approval. Maybe another personal_sign confirming "verification step 2 of 3." The wording on the page reinforces the sense of a multi-step compliance check. Two routine signatures in, the user is now primed. The cadence feels correct.

Step 8: The third approval is the drainer

The third prompt is the kill shot. Instead of a benign personal_sign or a small approve(), the third request is one of three things, depending on which version of the kit is loaded:

• A setApprovalForAll(spender, true) on the victim's NFT collection contract, granting the attacker's router permission to transfer every NFT the victim owns from that contract.
• A Permit2 signature granting the attacker unlimited spender allowance on USDT, USDC, BUSD, or any high-balance ERC-20, valid for years.
• A direct approve(spender, max_uint256) on the victim's largest token holding, granting unlimited transfer authority to the drainer contract.

The wallet UI does its job. It shows a yellow warning that an "unlimited approval is being requested" or "this is a contract interaction." But the victim is already three steps in, the page is reinforcing the compliance narrative, and the buyer on WhatsApp is sending "almost done, last step." The user clicks Confirm.

Step 9: The wallet empties

The drainer's automated sweeper sees the new approval on-chain within one block on BNB Chain (roughly three seconds). A sweep transaction transfers every approved token out of the victim's wallet to a hot router. From the router, funds go to a mixer or a fresh OTC desk. Total elapsed time from the third signature to an empty wallet is typically under two minutes.

Why the THIRD approval is the trap

The three-signature funnel is not random. It is the campaign's most refined element. Here is what each signature is actually doing under the hood, which is critical to understand because once you know it, you cannot un-see it.

The first signature is almost always a personal_sign or a typed-data sign that does not move any funds. Cryptographically it is a no-op for your balance. The drainer collects your wallet address (which it already has from the connect) and gets the victim used to clicking Sign. There is no actual on-chain risk in step 1, which is exactly the point. The user finishes step 1 with the unconscious conclusion "okay, that was harmless." That conclusion becomes the foundation of the trap.

The second signature is sometimes a real but low-value approve() and sometimes another personal_sign. It exists to set rhythm. By signature 2, the user is not reading the wallet popup. They are watching the WhatsApp messages, watching the timer on the page, watching the buyer count down to "INR release."

The third signature is the one that contains the drainer authority. Critically, it is presented inside the exact same visual context as the first two. Same page, same buyer messaging, same compliance copy. The wallet's own UI does change. Trust Wallet, MetaMask, and Rabby all flash an "unlimited approval" warning at this stage. But the surrounding context the user has built up over the previous 90 seconds tells them to keep going. Three is the magic number because it is small enough to fit a "verification flow" mental model, and big enough that the user has stopped reading by the time the drainer lands.

If you ever find yourself on signature 3 of a 3-step "verification," reject it. Real verification flows do not exist. Trust Wallet does not have one. BNB Chain does not have one. Binance does not have one for off-platform sellers. The pattern itself is the signal.

Red flags any Trust Wallet user must recognize

The kit only works if the victim never stops to think. These are the breakpoints where stopping costs you nothing and saves everything.

• Any "verification" request that requires connecting a wallet is fake. Trust Wallet does not require external verification. BNB Chain does not require external verification. Binance does not ask sellers to verify on a separate portal. The category does not exist.
• URLs that are not trustwallet.com or bnbchain.org. The official Trust Wallet domain is trustwallet.com. The official BNB Chain domain is bnbchain.org. buepux.com, bnbchain-verify.com, trust-wallet-secure.io, and every other variant are all hostile, regardless of how convincing the page looks.
• Any move from a P2P platform to WhatsApp or Telegram. Binance P2P, OKX P2P, Bybit P2P, KuCoin P2P all explicitly forbid off-platform communication for exactly this reason. A buyer who tries to move the chat is almost always running a drainer, an INR chargeback fraud, or a fake-transfer scam.
• Approval requests for setApprovalForAll or unlimited spender on token contracts you have never interacted with. If you have never used a DEX on BNB Chain and a page asks for setApprovalForAll on your NFT contract or Permit2 unlimited on USDT, something is very wrong.
• Time pressure. "Verify in the next 5 minutes or the INR cannot be released." "Sign within 24 hours or your wallet will be flagged." Real KYC does not work that way. Real compliance does not work that way. Urgency is the oldest tell in scam history and it is still the most reliable.
• Above-market P2P offers from accounts under 6 months old. The buyer offering you two percent over spot is paying for your willingness to skip steps. Nobody pays a premium without a reason. The reason is they intend to drain you, not buy your USDT.

If you already signed the third approval

If the wallet is already empty, the funds in that specific wallet are almost certainly gone. The drainer's sweeper transfers tokens within seconds. Your priority now is twofold: revoke any remaining approvals so future deposits to that wallet are not also stolen, and report the incident so the on-chain trail can be followed.

1. Revoke the approval immediately. Go to revoke.cash, connect the affected wallet, and look for any approvals to addresses you do not recognize. Revoke setApprovalForAll, Permit2, and any approve() with a max allowance. This costs gas, but on BNB Chain that gas is pennies. Revoke for every token, not just the high-value ones, because the drainer often leaves dormant approvals for tokens you do not yet hold.
2. Move any remaining assets to a fresh wallet that has never touched the malicious site. Generate a new seed phrase from inside Trust Wallet or a hardware wallet. Do not import the compromised seed. Send any remaining BNB, USDT, USDC, NFTs, and LP positions to the new address.
3. File a report with India's 1930 cybercrime helpline or at cybercrime.gov.in. Include the WhatsApp number, the P2P platform username, the buepux.com URL, the transaction hash of the drainer signature, and the receiver address. The faster you file, the better the chance investigators can flag the receiving exchange account.
4. Report to BNB Chain abuse at report@bnbchain.org and to Trust Wallet at security@trustwallet.com. Include the URL, the contract address that asked for the approval, and the transaction hashes of the drain.
5. Report on-chain by submitting buepux.com and the drainer contract to PhishDestroy, ScamSniffer, MetaMask's eth-phishing-detect list, and Chainabuse. Public threat-intel lists are how the next victim's wallet refuses the connection.
6. If you are outside India, file with FBI IC3 at ic3.gov for US, Action Fraud for UK, or your national cybercrime portal. Crypto draining is treated as wire fraud in most jurisdictions.

Two things to skip. Do not pay a "crypto recovery service" that DMs you on Twitter or Telegram after the drain. They are a second-stage scam targeting victims, and the FTC and FBI have repeatedly warned about them. And do not re-fund the compromised wallet thinking the attacker will not notice. The approval is still live until you revoke it, and the drainer sweeper checks the address on every new transfer.

How SafeBrowz catches this attack

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI. The buepux.com campaign trips at multiple points in the stack, which is the whole reason we built it as overlapping layers rather than one filter.

• Layer 1 - Local detection: 60+ URL patterns plus a 550+ brand-impersonation database run directly in the extension before the page renders. buepux.com has no relationship to Trust Wallet or BNB Chain, so the brand-impersonation logic flags the path tokens ("verification," "bnb-chain," "trust-wallet-sync") the moment they appear in the URL. Domains that mention a high-risk brand but are not on the official-TLD list for that brand get flagged at the URL layer alone, no network round-trip needed.
• Layer 2 - API checks: Google Safe Browsing, PhishTank, and URLhaus pick up buepux.com once it is reported. The domain is already on PhishDestroy as of May 3, 2026, and our server pulls from the public threat-intel feeds it shares with. Once any single feed flags a domain, every SafeBrowz user is protected on the next page load.
• Layer 3 - AI deep scan (Premium): for novel variants that have not yet hit any feed, our content analysis reads the rendered page in 100+ languages, including Hindi, Tamil, Bengali, Telugu, and Marathi. A page that combines Trust Wallet branding, "BNB Chain Verification" copy, and a wallet-connect button on a fresh domain with no DEX history gets flagged in seconds. The model does not need the domain on a blocklist; it recognizes the impersonation pattern itself.
• Permit2 modal protection (v2.9.9): the most recent SafeBrowz build adds a wallet-drainer signature interceptor. When a page asks for setApprovalForAll, a Permit2 unlimited spender, or an approve() with max_uint256 to a spender address you have never interacted with, SafeBrowz pops a confirmation modal warning before the signature is sent to your wallet. The third signature on buepux.com triggers this modal every time. It is a feature on top of the three layers, not a fourth layer.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. Per-user URL history is never stored.

Frequently asked questions

What is TAU/ADV/013?

TAU/ADV/013 is the formal identifier of the advisory issued by India's Ministry of Home Affairs through the Indian Cybercrime Coordination Centre's Threat Analytical Unit in late April 2026. The advisory warns Indian crypto holders about a coordinated Trust Wallet / BNB Chain drainer campaign that begins on P2P exchange platforms and ends on fake "BNB Chain Verification" portals including buepux.com. The advisory was carried by CryptoTimes, FinanceFeeds, Bitget News, and reflected in PhishDestroy's public threat index.

Why does Trust Wallet not require verification?

Trust Wallet is a self-custodial wallet. The keys live on your device, not on a Trust Wallet server. There is no account to verify because there is no account. Trust Wallet has never operated a verification portal and never will, because there is nothing to verify against. The same applies to BNB Chain, MetaMask, Phantom, Rabby, and every other self-custodial wallet. Any page asking you to "verify" your wallet by connecting and signing is impersonating a category of service that does not exist.

How is buepux.com still active if it has been reported?

Drainer kits use cheap domains on registrars with slow abuse response. By the time the original domain is taken down, a fresh sibling is already serving the same kit. The campaign behind buepux.com has rotated through dozens of similar domains over the past year. PhishDestroy and SafeBrowz block them on first sighting, but the official takedown process can take days. That is why a real-time browser-level block matters more than reactive registrar takedowns.

Can I get my BNB back if I signed the third approval?

Honestly, almost never. Once the drainer's sweeper has moved your tokens to its router and then to a mixer, the funds are operationally gone. There are rare exceptions when the receiver wallet later deposits to a centralized exchange that cooperates with Indian law enforcement, in which case I4C and the exchange's compliance team can freeze the deposit. File the 1930 helpline report and the cybercrime.gov.in report fast, include the on-chain receiver address, and the chance is non-zero but small. Do not pay any "recovery service" that contacts you. Those are universally second-stage scams.

Does SafeBrowz work on the Trust Wallet mobile app?

SafeBrowz is a browser extension. It runs in Chrome, Firefox, and Edge on desktop. The Trust Wallet mobile in-app browser does not support browser extensions, which is a platform limitation, not a SafeBrowz one. However, the Permit2 modal protection added in v2.9.9 does apply to MetaMask, Trust Wallet, and Rabby wallet extensions in desktop Chrome, Firefox, and Edge, which is where most high-value DeFi users connect. Safari support is built and pending Apple Developer enrollment.

Are other P2P platforms (Binance, OKX, Bybit) being abused?

Yes. The advisory and the threat reports explicitly name Binance P2P, OKX P2P, and Bybit P2P as the most commonly abused entry points, with KuCoin P2P and Bitget P2P seeing smaller volume. The attack does not depend on which platform you use. It depends on the attacker getting you off the platform and into WhatsApp or Telegram. As soon as a buyer or seller suggests moving the chat off the exchange, the attack vector activates regardless of which P2P you started on.

How do I report this to India's 1930 helpline?

Dial 1930 from any phone in India to reach the National Cybercrime Helpline operated by I4C, available in multiple Indian languages. Alternatively, file online at cybercrime.gov.in. For crypto drainer cases include: the WhatsApp number that sent the link, the P2P platform username of the buyer or seller, the malicious URL (buepux.com or whichever variant), the transaction hash of the third signature you signed, the receiver wallet address, and screenshots of the chat. The faster the report, the better the chance of a freeze if funds reach a regulated exchange.

What is setApprovalForAll vs Permit2 unlimited spender?

setApprovalForAll is an ERC-721 and ERC-1155 function that grants a spender address blanket permission to transfer every NFT you own in a specific collection contract. It is used legitimately by NFT marketplaces. Permit2 is a Uniswap-developed contract that batches ERC-20 token approvals; granting a Permit2 unlimited spender authority lets that spender pull any amount of the token from your wallet for the duration of the signed permit, often years. Both are powerful primitives that legitimate DeFi uses constantly, which is exactly why drainers reuse them. The defense is the same: never sign either without independently verifying the spender address and the dApp.

Article last updated: June 1, 2026. Status check: buepux.com still resolving and serving the drainer kit at time of publication. SafeBrowz blocks the domain across all three protection layers.