Independent · Public · Non-commercial · Since 2019

About PhishDestroy:
Mission, Team & Methodology

We are a volunteer threat‑intelligence group. For 5+ years we have disrupted phishing, drainers, and crypto fraud. We detect live threats first, preserve evidence, and coordinate takedowns with hosts, registrars, and AV vendors.

Live Reports Our Methodology Crypto-Scam Havens
104K+
Domains Tracked
23K+
Abuse Reports
79K+
Takedowns
24/7
Automation
<0.01%
FP Rate
Zero $
Non-Commercial

PhishDestroy is an independent, non-commercial threat intelligence platform that detects phishing domains in real time, scores risk levels, preserves forensic evidence, and coordinates takedowns to protect users from phishing, cryptocurrency scams, and wallet drainer attacks. Active since 2019, the project tracks 104,000+ flagged domains across 350+ targeted brands, has filed 23,000+ abuse reports, and operates a public threat API and domain security database used by security researchers worldwide.

About PhishDestroy

Our approach is simple: when we see an active threat, we move immediately. We don’t wait for victims, lawsuits, or publicity — we act so there are no victims at all. This is our story.

Our Mission and Methods

We started with Steam scammers and spammy ads; today our scope is global crypto phishing, drainer networks, and large‑scale fraud operations. We conduct end‑to‑end casework: tracing money on‑chain to real operators, mapping infrastructure, and linking campaigns to specific panels, keys, and code. Our unique insight comes from having seen scams from the inside — not as employees but with full root‑level access to their infrastructure. This gives us an unparalleled edge to preempt new variants quickly.

Our Uncompromising Principles

  • Non‑commercial: We sell nothing and take no donations. No paid delistings, ever.
  • Public & Verifiable: Indicators, timestamps, and outcomes are public when safe and lawful.
  • No Victim Data Stores: We avoid holding sensitive personal data; tickets use IDs only.
  • Evidence Preservation: We keep web archives and technical artifacts so victims and investigators can self‑serve discovery later.
  • Lawful Cooperation: We coordinate with hosts/registrars and share artifacts with competent authorities when appropriate.

How We Detect & Take Down Phishing

Our pipeline processes thousands of domains daily through automated scanning, multi-source intelligence, and expert review.

1. Detection

CT logs, DNS registrations, phishing feeds, community reports. Automated classifiers flag threats within minutes.

Search database

2. Analysis

VirusTotal (95 engines), WHOIS/DNS, SSL certs, screenshots, content analysis. Risk scores from 12+ signals.

Scoring methodology

3. Reporting

Simultaneous reports to registrars, hosts, AV vendors, browser safe-browsing, and community blocklists.

Anatomy of a Takedown

4. Takedown

Track each domain until dead. Evidence in web archives. Registrar response varies from hours to weeks.

Impact metrics

Our Path: From Insight to Impact

Deep Investigations

We don't just find domains. We trace crypto on-chain, map infrastructure, and connect disparate campaigns to a single source, following the money to the operators.

"Root-Level" Access

We've seen scams from the inside. This unparalleled access to drainer panels, phishing kits, and operator infrastructure gives us a unique edge to preempt their next move.

Evidence Preservation

Every site is archived. We preserve crucial artifacts—JS encryption keys, operator IDs—creating an evidence locker for law enforcement and victims to use, no questions asked.

Proactive Disruption

We act so there are no victims. By reporting to over 50 vendors simultaneously, we create a network effect that dismantles scam campaigns before they fully launch. Learn more in our Anatomy of a Takedown guide.

Crypto-Scam Havens: The Responsibility Gap

A disproportionate number of crypto-scams originate from a handful of registrars. This is not a coincidence—it's a systemic failure in abuse handling.

Crypto-Scam Domains by Registrar

Source: PhishDestroy DB, live data

The Data Doesn't Lie

When one registrar hosts thousands more malicious domains than competitors, it points to a tolerance for abuse, incompetence, or both. Scammers flock to platforms with the least resistance.

Our Role

We provide clear evidence to these registrars, giving them the opportunity to meet their ICANN obligations. Our public logs create accountability when they fail to act.

Transparency & Trust

Credibility comes from openness. Every process is documented and verifiable.

Open Methodology

95 AV engines, 11 blocklists, DNS/WHOIS/SSL analysis. All documented.

How we score

Appeal Process

Every appeal reviewed within 48 hours. FP rate: <0.01%. No paid delistings.

Submit appeal

Public Data

Threat feeds, blocklists, investigation logs — open-source on GitHub.

GitHub

Evidence Retention

Screenshots, source code, WHOIS snapshots, Wayback archives for every domain.

Policy

Corrections Policy

Errors corrected publicly with timestamps and reasoning.

Policy

No Paid Delistings

We never accept payment to remove a detection. Integrity is non-negotiable.

Appeals

A Message for Victims: Your Silence is Their Weapon

Do not stay silent. Do not hide what happened. By doing so, you are doing the scammers a favor. Your silence breeds their impunity. More money for them means more attacks, more victims.

1. Get Immediate Help

For rapid response and professional help in any situation, contact the SEAL 911 team.

Contact SEAL 911

2. Report Publicly

The minimum you should do. Share information about the scammer with the world. It's a small step that can help others.

Report to Chainabuse

3. Report Legally

Report the crime to your local police department. This can be done via email or their website. Not reporting is covering for them.

Contact Local Police

A Message To...

The Industry

We are not your enemy. We are your free, expert abuse-triage service. Our reports are actionable intelligence, not accusations. We expect you to investigate and act as per your contractual obligations. If your abuse desk is unqualified, that is an internal issue. Requests for video proof or different file formats are intentional delays that help criminals steal more. Act on the comprehensive evidence we provide.

Scammers

Keep reporting each other. It helps us cluster and neutralize your networks faster. In 5/5 large CIS groups we analyzed, revenue filters skimmed funds from you upstream; you don’t even see 5% of the total take. You are not kings; you are disposable, and victims of your own operators.

Join the Mission

Use our data. Collaborate. Stop the next scam before it starts.

Get Data Feed Tools & Services Scan a Site Live Reports

Our Key Research

Deep-dive investigations into phishing infrastructure, drainer panels, and scam networks.

XMRWallet Exposed

How a fake Monero wallet stole millions over 10 years through hijacked transactions.

Read investigation

TrustWallet Panel Exposed

Inside an $8.5M wallet drainer panel — leaked source code and 1,900 chat logs.

Read investigation

TheProject Scam Empire

Unmasking one of the largest coordinated scam operations with hundreds of domains.

Read investigation

Impact Metrics

104,000+ domains tracked, 23,000+ reports filed, 79,000+ takedowns coordinated.

View metrics

Anatomy of a Takedown

Step-by-step walkthrough of how we take down phishing infrastructure.

Read guide

Enemy One

Tracking down one of the most persistent phishing operators on the internet.

Read investigation