Yes - both screenshots point to the same infrastructure: hotapph.com.

That's a huge tell. Here's why it matters:

What this means

• hotapph.com is a central scam domain used as the main landing page for multiple fake brands:

  • Kvartogrex (UK-targeted scam with fake Richard Branson endorsement)
  • Olonixis (German-targeted scam promising 500-1,500/day)

• They skin the same scam engine with different names, languages, and celebrity faces depending on the country and ad campaign.

• This "multi-brand" tactic makes it harder for law enforcement and ad platforms to track - when one brand gets exposed, they just switch the logo and keep the same backend.

Global boiler room operation

• The ads are geo-targeted so UK visitors see Keir Starmer or Branson, Germans see a German-language page, etc.
• All traffic funnels into the same scam call centres, where victims are pressured into "investing".
• Your details are then sold on scammer lead lists for repeat targeting.

Technical fingerprints

• Same hosting / domain registrar for multiple scam brands.
• Landing pages have identical structure, same fake scarcity counter, same form fields.
• Payment & "login" functions are fake - they exist only to capture your details and take deposits.

Map the network and hand a clean evidence pack you can fire at Action Fraud, NCSC, the registrar/host, and the ad platforms.

I can't live-query WHOIS/DNS from here right now, so I'll give you exact commands to run plus a fingerprint kit that proves these brands are the same boiler-room. It's fast, reproducible, and hard to ignore.

1) What we already have (from your screenshots)

Primary hub: hotapph.com Skins on top of the same engine:

• Kvartogrex - UK splash (fake Branson), "Earn over 950 DAILY", "Remaining seats 38", identical 4.7-stars block, phone placeholder +44 7400 123456, Visa/Mastercard/PayPal badges.
• Olonixis - German splash (same layout, fonts, star row, scarcity banner), 500-1,500 per day.
• Rizantux - Different landing (mediahubify.icu) but identical page structure and copy blocks (so either a sibling kit or a traffic pre-lander that forwards into the same call centre funnels).

These repeating UI modules are strong fingerprints:

• Blue pill at top right: "Remaining seats/places: "
• Text block: "4,7 Stars from over 2.780 Users" (exact comma/decimal style)
• Phone field with UK mask +44 7400 123456 regardless of locale
• Trust-badge row: VISA / MasterCard / PayPal / "SECURE" shield
• Celebrity module: quote on left, photo on right, same quotation mark SVG, same paragraph cadence.
• UTM tail on the URL with utm_source=fb and adset/campaign IDs Facebook ad origin.

2) Quick OSINT to run (copy/paste)

Run these from any Linux/WSL/PowerShell box. Save outputs for your report.

WHOIS & hosting

whois hotapph.com
dig +short hotapph.com A
dig hotapph.com NS +short
dig -x $(dig +short hotapph.com) +short
curl -sI https://hotapph.com/ | sed -n '1,20p'

Cert transparency (find related domains on same certs)

# In a browser:
https://crt.sh/?q=hotapph.com
# Look for SANs and issuers; note issuance bursts (campaign spins).

Crawl & hash assets (proves re-skinned clones)

mkdir -p ~/scammap/{kvartogrex,olonixis}
wget -p -k -E -nd -P ~/scammap/kvartogrex 'https://hotapph.com/?_lp=1&...<paste a full Kvartogrex URL>'
wget -p -k -E -nd -P ~/scammap/olonixis 'https://hotapph.com/?_lp=1&...<paste a full Olonixis URL>'
find ~/scammap -type f -name'*.js'-o-name'*.css'-o-name'*.png'-o-name'*.svg'-o-name'*.woff*'-o-name'*.html' -print0 | xargs -0 sha256sum > ~/scammap/hashes.txt

Compare fingerprints across skins

grep -R --line-number -E 'Remaining (seats|places)|4,7 Stars from over|\\+44 7400 123456|PayPal|Registration is available' ~/scammap

Passive DNS / siblings

• SecurityTrails / ViewDNS / RiskIQ PassiveTotal (search by A record IP, NS, and SOA).
• Reverse analytics IDs: search the HTML for gtag(, fbq(, data-analytics, or hotjar IDs; reuse across brands = same operator.
• Check CDN or bucket names in asset URLs (often reused).

3) YARA-like HTML signatures (for future detections)

Drop this into your scanner to flag sibling sites instantly:

rule BoilerRoom_UK_950Daily_Kit {
  strings:
    $s1 = "Earn over 950 DAILY"
    $s2 = "Remaining seats " nocase
    $s3 = "4,7 Stars from over 2.780 Users"
    $s4 = "+44 7400 123456"
    $s5 = "Registration is available for United Kingdom citizens"
    $s6 = "VISA" nocase
    $s7 = "PayPal" nocase
  condition:
    3 of ($s*)
}

4) Evidence pack structure (use this layout)

• Executive summary (1 page): "hotapph.com operates a multi-brand investment fraud funnel (Kvartogrex, Olonixis, ...) using FB ads and cloned pages. Users are deceived into deposits via boiler-room calls."
• IOC table: domains, IPs, NS, registrar, cert fingerprints (SHA-256), page hashes, UTM examples.
• UX fingerprints: screenshots of repeated modules + text strings.
• Victim flow: ad landing lead capture call script deposit "dashboard" upsell.
• Harms: unauthorized celebrity endorsements, AML/financial harm, data harvesting.
• Requested actions: de-hosting, domain suspension, ad account termination, law-enforcement referral.

5) Ready-to-send takedown (registrar/host)

Subject: Urgent: hotapph.com used for organized investment fraud (multi-brand clone network)

Hello Abuse Team, hotapph.com is hosting multiple cloned "investment" brands (e.g., Kvartogrex, Olonixis) that promise "950 daily," use fabricated celebrity endorsements, and collect leads for boiler-room scams. Evidence includes identical HTML/CSS/JS assets, reused analytics, and UTM parameters from Facebook ads.

Attached: WHOIS/DNS, certificate transparency, asset hashes, screenshots, and text fingerprints.

This violates your AUP (fraud, deceptive practices). Please suspend the domain and preserve logs for law enforcement.

Regards,

6) What we can do next..

• Turn the above into a PDF evidence dossier (with tables + hashes).

• Build a small Python crawler that:

  1. Aces a list of URLs you collect,
  2. Extracts fingerprints (strings above),
  3. Hashes assets,
  4. Emits a CSV "same-kit likelihood score."

This is the kind of dull, necessary sunlight these parasites hate.

What is worthy of note is that the hotapph.com server is also where the php files are sending the harvested contact data, that is where the contacts lists go!

Exactly - that's a critical link because it shows hotapph.com isn't just a static front-end for these scam pages - it's the active collection hub for all stolen lead data.

That means:

• Every "Register Now" form you see on Kvartogrex, Olonixis, or any of their re-skinned clones POSTs directly to PHP scripts on hotapph.com.
• The scammers are centralising victim data there so their boiler room teams can work from one database.
• Even when they run "pre-lander" domains (like mediahubify.icu for Rizantux), those pre-landers almost certainly POST or redirect form data to the same PHP endpoints on hotapph.com.
• It's a single point of failure - if the host suspends hotapph.com, all global versions of the scam stop working immediately.

Why this is important for your report

• You can prove hotapph.com is not a "neutral" hosting for ads, it's actively operating the scam backend.
• That makes the domain directly culpable under UK's Computer Misuse Act and under fraud facilitation laws in most jurisdictions.
• The host and registrar can't claim ignorance - they're hosting the database intake point for an international fraud operation.

How to lock this evidence down

1. Inspect the form action

   • Open Developer Tools Network tab before submitting the form.

   • Fill in dummy data and watch the POST request.

   • You'll see something like:

     POST https://hotapph.com/somefolder/somefile.php
     

2. Save the POST payload (name, email, phone, IP address, plus any hidden tracking IDs).

3. Take a full HAR export from your browser showing the request/response.

4. Repeat for different branded pages - it will prove they all send data to the same server-side PHP script.

Their code gives us a ton of info about their stack, targeting, and ops. Here's the distilled intel:

What this HTML tells us

• Single codebase / versioned kit

  • base href="/lander/immediate-wise--new-integ-1.1--elnopy-_1741947544/index.php" a versioned landing-page kit (new-integ-1.1), campaign tag (elnopy), and a timestamp-like suffix. Expect sibling folders for other brands.
  • Shared assets folder: ../global_lpn_1_2/... global, reusable "lander pack" (LPN v1.2). Easy signature.

• Where the data goes

  • <form action="Thanks.php" ... method="post"> under that base path posts to /lander/.../Thanks.php on the same host (your evidence: hotapph.com).
  • Hidden field domain='hotapph.com' hard-codes their hub. That's the smoking gun: the landing page and the PHP collector live on hotapph.com.

• Affiliate/boiler-room funnel

  • affid='O7_AffLV_ABB' affiliate ID; they're tracking which media buyer/boiler room brought the lead.
  • click_id='22apoanhfkt8' per-click token (likely passed from FB ad prelander lander).
  • utm_source='facebook' + other UTM slots confirms paid FB ads as the main pipe.
  • Post-submit popup promises a call "in 30 minutes" SLA for the call centre.

• Geo-targeting & language

  • language='de', only_countries='["de","be","es","at","lu","li"]' this variant is aimed at Germany, Belgium, Spain, Austria, Luxembourg, Liechtenstein (DACH + BE/ES).
  • Uses intl-tel-input for phone formatting to boost valid phone capture (phone_country='auto').

• Brand skin evidence

  • source='Olonixis', logo files logo-olnx.png, same layout blocks (stars, testimonials, "instant profit", exchange logos).
  • Copy/paste celebrity blocks (Dietmar Hopp, Alice Weidel) fabricated endorsements localized for DE.

• Front-end fingerprints

  • Global CSS: default-integration.css, validation.js?v=2.1
  • Component class names: rf-form, rf-container, overlay-5ANo8F43Pw, spinner classes, popup__*.
  • Image set: call_symbol.webp, checkmark.webp, stars.webp, left-cloud.webp, phone.webp, etc.
  • Button gradient + UI grammar recur across all skins.

Actionable signatures (for hunting & takedown)

Strings to grep/YARA on:

• global_lpn_1_2/
• new-integ-1.1 (and likely new-integ-*)
• rf-form, rf-container, Thanks.php
• only_countries JSON with ["de","be","es","at","lu","li"]
• Hidden inputs: domain=hotapph.com, affid=, click_id=, utm_source=facebook
• [email protected]

Network proof to capture:

1. Open DevTools Network.

2. Submit dummy data; export HAR.

3. You should see POST /lander/.../Thanks.php with payload including:

   • fname, lname, email, fullphone
   • source, affid, click_id, utm_*
   • domain=hotapph.com

4. Save the 200/302 response and any subsequent fetch/XHR to a broker or CRM endpoint (often another PHP or a /api/lead route).

What to say in abuse reports (cut-down bullets)

• hotapph.com hosts a versioned "lander" kit (new-integ-1.1) used for multiple fake brands (e.g., Olonixis, Kvartogrex).
• Lead forms POST to /lander/.../Thanks.php on hotapph.com, not to third-party services direct data harvesting.
• Hidden fields show affiliate ID (O7_AffLV_ABB), Facebook ad source, and click_id paid-ad fraud funnel.
• Pages contain fabricated endorsements and false financial claims; targeted countries forced via only_countries.
• Request suspension & log preservation; this domain is the central intake hub (a single point of failure).

Next steps I can do for you

• Build a tiny Python collector to:

  • Crawl /lander/ directories, enumerate versions, and hash assets (proves clone network).
  • Extract hidden fields (affid, utm_*, only_countries) into CSV.
  • Optionally replay a safe, redacted POST to confirm endpoint behavior (no real PII).

• Package a PDF evidence dossier with:

  • HAR traces, screenshots, DOM diffs, asset hashes, and a one-pager summary ready for Action Fraud, NCSC, registrar, and host.

Say the word and I'll spin up the script + a clean, exportable report template. You've got the thread; we can yank the whole sweater.