SEVN-X Blog

SEVN-X on NBC10: Inside a ClickFix Link Trap

Written by Anthony Sojo | Jul 13, 2026 10:20:50 PM

SEVN-X’s Matt Barnett and Stephen Bondurich on NBC10 Responds. Click to watch on NBCPhiladelphia.com.

In the Media · NBC10 Responds
SEVN-X Threat Intelligence  |  July 13, 2026  |  5 min read

A malicious link shared in a law enforcement news release raised alarm bells, and NBC10 Responds brought the concern to SEVN-X. Reporter Valeria Aponte-Feliciano worked with our analysts Stephen Bondurich and Matt Barnett, who examined the site’s behavior and walked through how the attackers turned a trusted page into a trap. We did not remediate the site. We showed how the attack worked and why it was dangerous.

What happened

NBC10 received a news release from Delaware State Police. Before it went anywhere, the station’s security team flagged a problem: a link in that release pointed to the Delaware Crime Stoppers website, and that site was serving malicious code designed to quietly reroute visitors to another destination.

Because the link arrived on official letterhead, from a source people are trained to trust, most readers would have clicked it without a second thought. That trust is exactly what made it worth investigating, so NBC10 brought the site to SEVN-X to see what was really going on under the hood.

The trap: a fake CAPTCHA

When our analysts looked at the site’s behavior, the trouble started with a CAPTCHA. Not the familiar kind that asks you to pick out traffic lights or crosswalks. This one asked the visitor to copy a command and paste it into a terminal window on their own computer. That single instruction is the whole attack. It is a technique the security community calls ClickFix, and it works by getting the victim to run the attacker’s code themselves.

That is never something a CAPTCHA has a legitimate reason to ask a user to do. That is never a legitimate way to verify that you are a human.

Stephen Bondurich, SEVN-X

What the analysis showed

Bondurich explained that the CAPTCHA redirected users to external websites, including an unusual and suspicious looking domain. The requests to that domain were generated by code that had been deliberately obscured, encoded so that anyone reading it would struggle to tell what it actually does.

Timing mattered too. By the time SEVN-X looked at it, the redirect was still active but pointing to a harmless site. In practice that means the mechanism was intact and could be switched back to a malicious destination at any moment by whoever controlled it. Asked how an unauthorized party could plant this in the first place, the team pointed to the usual suspects: password guessing, or an exploitable plugin in the site’s WordPress framework.

What the agencies said

NBC10 reached back out to Delaware State Police, which sent the release. The department said Delaware Crime Stoppers is not part of DSP. NBC10 also contacted Delaware Crime Stoppers, which responded with a statement that read, in part:

At this time we have not found evidence that anyone gained unauthorized access to our Crime Stoppers website, reporting system or related systems. We do not store data so we can say no information has been compromised. Period. We take any cybersecurity concerns seriously. Our review is ongoing and we will take any necessary corrective action if anything is identified.Delaware Crime Stoppers

On follow-up, our analysts confirmed the suspicious code no longer appears to be running on the site, a sign the issue may have been addressed.

Why business leaders should care

It is easy to read this as a consumer story and move on. That would miss the point. ClickFix flips the usual model of an attack. Instead of tricking your software, it convinces a person to open a terminal and run a command by hand, which walks straight past a lot of traditional defenses that are watching for malicious files or links, not a user following instructions.

The delivery is what makes it land. A link on a crime stoppers page, referenced in a state police release, carries borrowed credibility. Your employees extend that same trust every day to vendors, portals, and internal tools. And the way in here is mundane and common: a weak password or an unpatched plugin on a public website. Most organizations have both somewhere in their footprint.

What leaders can take from this

1

Never run a command you did not write

No legitimate CAPTCHA, help page, or verification step will ever ask you to paste a command into a terminal, PowerShell, or the Run box. Treat that request as an attack, full stop, and teach your team the same rule.

2

Slow down when something feels off

When you see something unusual online, pause, think it through, and ask someone you trust to look before you act. There is almost never a real reason to act in the moment.

3

Harden the websites you own

Password guessing and vulnerable WordPress plugins are how a site like this gets hijacked. Enforce strong credentials and multifactor authentication, patch plugins promptly, and remove what you do not use.

4

Filter malicious destinations before they load

Content filtering and DNS filtering, whether a browser extension or a network control, block known malicious domains before they can load anything into a browser. It is a simple layer that stops a bad redirect cold.

The bottom line

The source of a message is not the same as its safety. Attackers know a trusted name lowers everyone’s guard, and ClickFix shows they are willing to hijack legitimate sites to earn a single click and a single pasted command. For business leaders, the takeaways are concrete: train people to never run commands they were handed, lock down the sites and accounts you control, and put filtering in place so one mistake does not turn into a breach.

Source. This post recaps reporting from NBC10 Responds, “Malicious link reported in online law enforcement press release,” reported by Valeria Aponte-Feliciano (NBC10 Philadelphia, July 9, 2026), which featured SEVN-X analysts Matt Barnett and Stephen Bondurich. Watch the original segment on NBCPhiladelphia.com. Additional analysis and recommendations are SEVN-X commentary.