Threat Intelligence Dashboard

December 2025 Report

Detailed threat intelligence for 11,773 phishing domains. Registrar abuse, drainer kits, targeted brands, and AI-generated expert assessment.

166,629Total Detected
144,237Taken Down
91.7%Kill Rate
93.5%VT Coverage
45,506Abuse Reports
Overview Jun 268,101 May 267,021 Apr 2615,633 Mar 2618,814 Feb 2642,095 Jan 268,924 Dec 2511,773 Nov 2512,578 Oct 258,841 Sep 257,306 Aug 253,788 Jul 25700 Jun 253
December 2025 Intelligence Report 6.4%
11,773
10,686
Taken Down
524
Still Live
90.8%
Kill Rate
2455h
Avg Response
10.1
Avg VT Score

In December 2025, PhishDestroy detected <strong>11,773</strong> phishing domains, marking a <strong>6.4%</strong> decrease from the previous month. The takedown rate was <strong>76.3%</strong>, with <strong>8,978</strong> domains neutralized. Notably, <strong>Crypto Scam</strong> targeting remains prevalent with <strong>820</strong> domains, while <strong>NICENIC INTERNATIONAL GROUP CO., LIMITED</strong> emerged as the top registrar for abuse cases. The operational impact shows effective takedown efforts, though the mean registrar response time of <strong>1452.7</strong> hours indicates room for improvement in response speed.

  • <strong>NICENIC INTERNATIONAL GROUP CO., LIMITED</strong> leads registrar abuse with <strong>1268</strong> cases, necessitating focused intervention.
  • Crypto-related brands like <strong>Coinbase</strong> and <strong>Kraken</strong> are primary targets, overshadowing traditional banking sectors.
  • The <strong>.com</strong> TLD remains the most weaponized with <strong>3816</strong> domains, followed by <strong>.app</strong> and <strong>.dev</strong>.
  • The <strong>Angel Drainer</strong> kit is the most used, posing significant threats to victims' wallets through direct fund extraction.
  • The US hosts the majority of phishing infrastructure with <strong>8798</strong> domains, indicating a need for enhanced monitoring in this region.
  • Detection-to-takedown efficiency remains robust at <strong>76.3%</strong>, but the slow registrar response time highlights a critical gap.
Outlook
As we move into January 2026, defenders should anticipate continued targeting of crypto platforms, especially given the dominance of the <strong>Angel Drainer</strong> kit. Registrars like <strong>NICENIC INTERNATIONAL GROUP CO., LIMITED</strong> and <strong>Cloudflare, Inc.</strong> require escalation to improve response times. Watch for potential shifts in TLD usage and geographic hosting patterns.
Full Data on GitHub Browse All Domains Live Threats

Top Registrars

RegistrarDomains
NiceNIC International Group Co., Limited 1,284
Cloudflare, Inc. 1,148
Dynadot LLC 607
CSC Corporate Domains, Inc. 584
PDR Ltd. d/b/a PublicDomainRegistry.com 581
Gname.com Pte. Ltd. 529
GoDaddy.com, LLC 509
NameCheap, Inc. 461

Targeted Brands

BrandDomains
coinbase 813
Crypto Casino / Gambling 781
across 545
Kraken 422
Ledger 364
MetaMask 265
x.com 213
Google 213

Top TLDs

.com3,816 .app991 .dev619 .io609 .xyz483 .ru453 .ai349 .org319

Hosting Countries

🇺🇸 US8,993 🇩🇪 DE647 🇸🇪 SE401 🇭🇰 HK390 🇳🇱 NL376 🇷🇺 RU97 🇫🇷 FR77 🇬🇧 GB75

Active Drainer Kits

Angel Drainer746 Wallet Connect Abuse418 Solana Drainer252 Inferno Drainer4 Ice Phishing2

December 2025 Domains (11,773)

Sorted by VirusTotal detections. Click any domain for full security report.

Screenshot of 195909.com
195909.com
22 VTTaken Down
Screenshot of acc-amex.ueno-won.com
acc-amex.ueno-won.com
22 VTTaken Down
Screenshot of actlife.com
actlife.com
22 VTTaken Down
Screenshot of adobe-clone.vercel.app
adobe-clone.vercel.app
22 VTLive
Screenshot of agreed-approve-directories-ppc.trycloudflare.com
agreed-approve-directories-ppc.trycloudflare.com
22 VTTaken Down
Screenshot of allegro-lokalnie.pl-oferta322352532.icu
allegro-lokalnie.pl-oferta322352532.icu
22 VTTaken Down
Screenshot of amazonclone-two-gamma.vercel.app
amazonclone-two-gamma.vercel.app
22 VTLive
Screenshot of amazonclone-wheat.vercel.app
amazonclone-wheat.vercel.app
22 VTLive
Screenshot of amexoun.izumi-taten.com
amexoun.izumi-taten.com
22 VTTaken Down
Screenshot of auvanquoc27.io.vn
auvanquoc27.io.vn
22 VT
Screenshot of bafkreibkrnq7vwyccyrf322eafvhql2d2sniurgizj432bqvj77qwsfr7q.ipfs.dweb.link
bafkreibkrnq7vwyccyrf322eafvhql2d2sniurgizj432bqvj77qwsfr7q.ipfs.dweb.link
22 VTTaken Down
Screenshot of celacampaig.wpenginepowered.com
celacampaig.wpenginepowered.com
22 VTTaken Down
Screenshot of coinbase-learn.framer.media
coinbase-learn.framer.media
22 VTTaken Down
Screenshot of discord-d7f1pmwte-owenlikecoding.vercel.app
discord-d7f1pmwte-owenlikecoding.vercel.app
22 VTLive
Screenshot of ephemeral-lollipop-27f257.netlify.app
ephemeral-lollipop-27f257.netlify.app
22 VTTaken Down
Screenshot of facebmall.shop
facebmall.shop
22 VTTaken Down
Screenshot of fb-helppline-service.vercel.app
fb-helppline-service.vercel.app
22 VTTaken Down
Screenshot of fexoviontech-com.cryptofinancetrack.com
fexoviontech-com.cryptofinancetrack.com
22 VTTaken Down
Screenshot of gallery.billy-chiu.com
gallery.billy-chiu.com
22 VTTaken Down
Screenshot of golden-capybara-730f55.netlify.app
golden-capybara-730f55.netlify.app
22 VTTaken Down
Screenshot of instagram-clone-web.vercel.app
instagram-clone-web.vercel.app
22 VTLive
Screenshot of instagram-ios-appg39b.rollout.site
instagram-ios-appg39b.rollout.site
22 VTTaken Down
Screenshot of instagram-login-16-4.vercel.app
instagram-login-16-4.vercel.app
22 VTTaken Down
Screenshot of intesasanpaoloit.it
intesasanpaoloit.it
22 VTTaken Down
Screenshot of knowledgemomentum-net.moneymaking-opportunities.com
knowledgemomentum-net.moneymaking-opportunities.com
22 VTTaken Down
Screenshot of kreknlugin.godaddysites.com
kreknlugin.godaddysites.com
22 VTTaken Down
Screenshot of legderhealth.com
legderhealth.com
22 VT
Screenshot of metarnask.work
metarnask.work
22 VTTaken Down
Screenshot of networksolutionsemail-app.lflink.com
networksolutionsemail-app.lflink.com
22 VTTaken Down
Screenshot of opensea.com.offer-proposal.com
opensea.com.offer-proposal.com
22 VTTaken DownAngel Drainer
Screenshot of re11133.vercel.app
re11133.vercel.app
22 VTLive
Screenshot of recreate-instagrampage.vercel.app
recreate-instagrampage.vercel.app
22 VTLive
Screenshot of robloxr.com.es
robloxr.com.es
22 VTTaken Down
Screenshot of robloxv.com.es
robloxv.com.es
22 VTTaken Down
Screenshot of securesmandt.vercel.app
securesmandt.vercel.app
22 VTTaken Down
Screenshot of sites.it-safe.web.id
sites.it-safe.web.id
22 VTTaken Down
Screenshot of sslvhconnectclients.wan64.de
sslvhconnectclients.wan64.de
22 VTTaken Down
Screenshot of static-amount-404464.framer.app
static-amount-404464.framer.app
22 VTTaken Down
Screenshot of steam.bywg.vip
steam.bywg.vip
22 VTTaken Down
Screenshot of streamcami.net
streamcami.net
22 VTTaken Down
Screenshot of trezordevicesupport.com
trezordevicesupport.com
22 VTTaken Down
Screenshot of uaeth.vip
uaeth.vip
22 VTTaken Down
Screenshot of upho0ld-logiinus.godaddysites.com
upho0ld-logiinus.godaddysites.com
22 VTTaken Down
Screenshot of wha-app-whatsapp.com.cn
wha-app-whatsapp.com.cn
22 VTTaken Down
Screenshot of whatsapp724.blogspot.com
whatsapp724.blogspot.com
22 VTTaken Down
Screenshot of wwwdd.vercel.app
wwwdd.vercel.app
22 VTLive
Screenshot of 0365uu.com
0365uu.com
21 VTTaken Down
Screenshot of 0authxfinity.vercel.app
0authxfinity.vercel.app
21 VTTaken Down
Screenshot of 100k4yo.netlify.app
100k4yo.netlify.app
21 VTLive
Screenshot of 1111365wz.cc
1111365wz.cc
21 VTTaken Down
Screenshot of 13355.vip
13355.vip
21 VTTaken Down
Screenshot of 1615666666.com
1615666666.com
21 VTTaken Down
Screenshot of 195000222.com
195000222.com
21 VTTaken Down
Screenshot of 195000555.com
195000555.com
21 VTTaken Down
Screenshot of 1950055.com
1950055.com
21 VTTaken Down
Screenshot of 195222777.com
195222777.com
21 VTTaken Down
Screenshot of 1952255.com
1952255.com
21 VTTaken Down
Screenshot of 195444000.com
195444000.com
21 VTTaken Down
Screenshot of 1958800.com
1958800.com
21 VTTaken Down
Screenshot of 195926.com
195926.com
21 VTTaken Down
« Prev 1 2 3 4 5 ... Next »

Detection Trends

Monthly domain volume, kill rate, and live threats over time.

Monthly Detected Domains

Kill Rate %

Explore More

Related intelligence pages and data feeds.

Domain Hub

166,629+ domains with security reports

Live Threats

13,073 phishing sites still online

DestroyList on GitHub

Open-source daily phishing domain feeds

About PhishDestroy

Independent anti-phishing threat intelligence