Phishing Attacks Targeting Nepali Digital Wallets: Credential Harvesting Campaign Exposed A Cybersecurity Investigation Report
Date: 27 March 2026
This investigation has identified an active phishing infrastructure targeting users of Nepal’s leading digital wallet platforms eSewa, Khalti, and Prabhu Pay. The campaign employs sophisticated fake login pages hosted on Vercel, designed to harvest user credentials through cloned interfaces. Three primary phishing domains were documented: esewa-login.vercel.app, khalti-login.vercel.app, and prabhu-login.vercel.app.
These frontend phishing pages transmit captured data to a central backend collector located at https://admin-backend246.vercel.app/, specifically via the /api/logins endpoint. This analysis, based exclusively on observed patterns and publicly available indicators, reveals an organized credential-harvesting operation that exploits the growing reliance on digital financial services in Nepal. No unauthorized access or interaction with the identified systems was performed. The findings underscore the urgent need for heightened vigilance among users and service providers to mitigate financial and identity-related risks.
Introduction
Nepal’s digital payment ecosystem has experienced rapid expansion, with platforms such as eSewa, Khalti, and Prabhu Pay serving millions of users for everyday transactions, remittances, and merchant payments. This growth, while transformative, has attracted cybercriminals seeking to exploit user trust through phishing attacks.
In recent months, cybersecurity researchers have observed a marked increase in phishing campaigns tailored to Nepali digital wallet users. These attacks typically involve the creation of counterfeit login pages that closely mimic legitimate services, thereby deceiving victims into disclosing sensitive credentials. This report presents the results of a detailed investigation into one such campaign, highlighting its technical characteristics, operational methods, and broader implications for cybersecurity in Nepal.
Investigation Overview
Objective To document and analyze phishing domains impersonating Nepali digital wallets, map their technical infrastructure including backend components, and outline the associated risks and mitigation strategies.
Scope The investigation focused on three specific domains esewa-login.vercel.app, khalti-login.vercel.app, and prabhu-login.vercel.app along with the linked backend collector at https://admin-backend246.vercel.app/ and its /api/logins endpoint. Analysis was confined to open-source intelligence and pattern observation.
Methodology The investigation employed open-source intelligence (OSINT) techniques, including domain pattern analysis, visual inspection of publicly accessible page structures, and correlation of hosting indicators. All observations were conducted passively, with no interaction, probing, or exploitation of any system. This analysis is based on observed patterns and no unauthorized interaction was performed.
Identified Phishing Domains
The campaign utilizes a consistent naming convention to build credibility:
- esewa-login.vercel.app – impersonates eSewa
- khalti-login.vercel.app – impersonates Khalti
- prabhu-login.vercel.app – impersonates Prabhu Pay
Each domain follows the pattern “[brand]-login.vercel.app,” leveraging the trust associated with the respective digital wallet while indicating deployment on Vercel’s cloud infrastructure. This standardized approach enables rapid scaling and easy recognition by potential victims searching for official login portals.
Technical Analysis
The phishing sites are hosted on Vercel, a popular cloud platform that allows quick deployment of web applications. This choice facilitates low-cost, easily disposable infrastructure that can be recreated as needed.
The pages replicate the visual design, logos, and user interface elements of the legitimate digital wallet login screens, creating a convincing illusion of authenticity.
Further analysis has confirmed the existence of a dedicated backend collector at https://admin-backend246.vercel.app/. This component serves as the central data exfiltration point for the campaign. The specific endpoint /api/logins functions as the primary API responsible for receiving and storing credentials submitted from the frontend phishing pages. The infrastructure demonstrates deliberate design: separate brand-specific frontend domains combined with a unified backend for centralized credential aggregation.
Attack Flow
The phishing operation follows a clear, sequential process:
- Distribution of phishing link – Victims receive the malicious URL via SMS, email, social media, or messaging applications, often disguised as an urgent account verification notice or promotional offer.
- Access to fake login page – The user is directed to one of the impersonating domains (e.g., khalti-login.vercel.app).
- Credential entry – The cloned interface prompts the victim to enter their mobile number, PIN, password, or other authentication details.
- Data transmission – Submitted information is automatically forwarded to the backend collector at https://admin-backend246.vercel.app/api/logins.
- Credential exfiltration – Attackers retrieve the harvested data from the backend for unauthorized access or further monetization.
Key Findings
- Organized phishing infrastructure: The campaign employs a modular architecture with brand-specific frontends and a centralized backend collector, indicating coordinated operation rather than opportunistic activity.
- Leverage of cloud hosting: Use of Vercel enables rapid deployment and low traceability, a common tactic in modern phishing campaigns.
- Centralized credential harvesting: The backend at https://admin-backend246.vercel.app/ and its /api/logins endpoint are specifically engineered to receive and store digital wallet login credentials from multiple phishing fronts.
- High relevance to Nepal’s digital economy: The precise imitation of eSewa, Khalti, and Prabhu Pay demonstrates detailed knowledge of local financial services.
Risk & Impact
Successful compromise grants attackers full access to victims’ digital wallets, enabling immediate financial theft, unauthorized transfers, and potential linkage to linked bank accounts. Beyond monetary loss, stolen credentials may facilitate identity theft, account takeover for social engineering, or sale on underground markets.
Given the widespread adoption of these wallets for salary disbursement, utility payments, and remittances, the potential scale of impact extends to both individual users and the national digital payment ecosystem.
Defensive Recommendations
For Users
- Always verify the exact URL before entering credentials; legitimate domains do not use subdomains such as “-login.vercel.app”.
- Enable two-factor authentication (2FA) or biometric verification where available.
- Avoid clicking unsolicited links; access services directly through official apps or bookmarked URLs.
- Regularly monitor account activity and report suspicious behavior immediately to the service provider.
For Organizations (eSewa, Khalti, Prabhu Pay, and similar platforms)
- Implement continuous domain monitoring and rapid takedown procedures for impersonating sites.
- Enhance user education campaigns on phishing recognition.
- Deploy advanced client-side protections, such as strict Content Security Policy (CSP) and anti-phishing warnings within official applications.
- Collaborate with cloud providers and local law enforcement to disrupt such infrastructures.
Cyber Alert
Immediate Action Advised for Nepali Digital Wallet Users If you have received any link containing “esewa-login”, “khalti-login”, or “prabhu-login” followed by “.vercel.app”, treat it as malicious. Do not interact. Report the link to your wallet provider and change your credentials via the official application only.
Conclusion
The phishing campaign targeting Nepali digital wallets exemplifies the evolving cyber threat landscape in Nepal amid increasing digital financial adoption. This investigation highlights the sophistication and organization behind such operations, which exploit trust in established local platforms through coordinated frontend and backend components.
As cybersecurity in Nepal continues to face new challenges, proactive awareness, technical vigilance, and collaborative defense remain essential. Continued monitoring and public reporting of these threats are critical to protecting users and strengthening the nation’s digital resilience.
This report is published for public awareness and educational purposes. Reproduction with proper attribution is encouraged.
