Is croxyproxy.rocks safe?

encoded payload

suspicious base64-like blobs detected in page content

obfuscated code

Inline script uses multi-layer obfuscation: Function(new TextDecoder('utf-8').decode(new Uint8Array(atob(...)))) pattern decodes a base64 string into a hex-encoded string, then executes it dynamically via Function(). This triple-encoding (base64 → hex → eval via Function constructor) is a classic technique to hide malicious payloads from static scanners and AI content analyzers. The decoded payload cannot be reviewed without execution. (location: page.html:701 — inline <script> block)

prompt injection

The infoBar banner contains an outbound link to reflect4.me/register with utm_source=front_top_banner. The domain 'reflect4.me' is unrelated to CroxyProxy and is embedded in a fixed overlay bar that is always visible. This injection point could be used to redirect users (including AI agents browsing through the proxy) to a third-party registration page under the guise of a CroxyProxy feature ('Configure your personal web proxy for free'). (location: page.html:984 — #infoBar <a> tag linking to https://reflect4.me/register)

malicious redirect

The proxy form submits to a relative 'servers' action endpoint (action='servers') via POST. A web proxy by design routes all user-submitted URLs through its own servers, enabling man-in-the-middle interception of all traffic, including credentials and session tokens entered into proxied sites. The quick-links (Google, YouTube, Facebook, Instagram, Twitter, etc.) use data-href attributes loaded by JavaScript, obscuring the actual redirect destination until runtime. (location: page.html:856 — <form action='servers'> and page.html:884 — #quickLinks data-href attributes)

credential harvesting

CroxyProxy operates as a man-in-the-middle web proxy: all HTTP/S traffic from users is routed through croxyproxy.rocks servers (server IP 143.244.207.157 exposed in footer). Any credentials, session cookies, or tokens entered into websites accessed through the proxy are fully visible to the proxy operator. The site explicitly encourages proxying of Facebook, Instagram, Twitter, Google, and other credential-bearing sites via quick-links. (location: page.html:856-884 — proxy form and quick links; page-text.txt:154)

social engineering

The site markets itself as 'the most advanced secure and free web proxy' and claims 'All data is encrypted before transfer' and provides 'privacy protection' — while simultaneously acting as a full traffic interceptor. These claims are misleading: encryption between user and proxy does not protect data from the proxy operator itself. Users are socially engineered into trusting the proxy with sensitive browsing. (location: page.html:848-943 — marketing copy; page-text.txt:121-213)

hidden content

An invisible 1x1 iframe is injected at the bottom of the page body with style position:absolute, top:0, left:0, border:none, visibility:hidden. A script is injected into this hidden iframe to load Cloudflare challenge scripts (/cdn-cgi/challenge-platform/scripts/jsd/main.js). While this is a known Cloudflare pattern, the hidden iframe technique is also used for drive-by exploits and tracking. The iframe content is dynamically generated, preventing static inspection. (location: page.html:987 — hidden iframe injected via inline script at end of <body>)

brand impersonation

The domain croxyproxy.rocks impersonates or mimics the legitimate CroxyProxy service at croxyproxy.com. The .rocks TLD variant is a common typosquatting/brand-cloning tactic. The site uses the same branding, logo (cdn.croxyproxy.rocks), and content as the canonical service, but operates on a different domain that users may not distinguish from the official one. (location: metadata.json — domain: croxyproxy.rocks vs legitimate croxyproxy.com; page.html:32-33 — CDN assets from cdn.croxyproxy.rocks)