Threat Intelligence Dashboard

December 2025 Report

Detailed threat intelligence for 11,773 phishing domains. Registrar abuse, drainer kits, targeted brands, and AI-generated expert assessment.

166,600Total Detected
144,147Taken Down
91.6%Kill Rate
93.5%VT Coverage
45,500Abuse Reports
Overview Jun 268,072 May 267,021 Apr 2615,633 Mar 2618,814 Feb 2642,095 Jan 268,924 Dec 2511,773 Nov 2512,578 Oct 258,841 Sep 257,306 Aug 253,788 Jul 25700 Jun 253
December 2025 Intelligence Report 6.4%
11,773
10,686
Taken Down
524
Still Live
90.8%
Kill Rate
2455h
Avg Response
10.1
Avg VT Score

In December 2025, PhishDestroy detected <strong>11,773</strong> phishing domains, marking a <strong>6.4%</strong> decrease from the previous month. The takedown rate was <strong>76.3%</strong>, with <strong>8,978</strong> domains neutralized. Notably, <strong>Crypto Scam</strong> targeting remains prevalent with <strong>820</strong> domains, while <strong>NICENIC INTERNATIONAL GROUP CO., LIMITED</strong> emerged as the top registrar for abuse cases. The operational impact shows effective takedown efforts, though the mean registrar response time of <strong>1452.7</strong> hours indicates room for improvement in response speed.

  • <strong>NICENIC INTERNATIONAL GROUP CO., LIMITED</strong> leads registrar abuse with <strong>1268</strong> cases, necessitating focused intervention.
  • Crypto-related brands like <strong>Coinbase</strong> and <strong>Kraken</strong> are primary targets, overshadowing traditional banking sectors.
  • The <strong>.com</strong> TLD remains the most weaponized with <strong>3816</strong> domains, followed by <strong>.app</strong> and <strong>.dev</strong>.
  • The <strong>Angel Drainer</strong> kit is the most used, posing significant threats to victims' wallets through direct fund extraction.
  • The US hosts the majority of phishing infrastructure with <strong>8798</strong> domains, indicating a need for enhanced monitoring in this region.
  • Detection-to-takedown efficiency remains robust at <strong>76.3%</strong>, but the slow registrar response time highlights a critical gap.
Outlook
As we move into January 2026, defenders should anticipate continued targeting of crypto platforms, especially given the dominance of the <strong>Angel Drainer</strong> kit. Registrars like <strong>NICENIC INTERNATIONAL GROUP CO., LIMITED</strong> and <strong>Cloudflare, Inc.</strong> require escalation to improve response times. Watch for potential shifts in TLD usage and geographic hosting patterns.
Full Data on GitHub Browse All Domains Live Threats

Top Registrars

RegistrarDomains
NiceNIC International Group Co., Limited 1,284
Cloudflare, Inc. 1,148
Dynadot LLC 607
CSC Corporate Domains, Inc. 584
PDR Ltd. d/b/a PublicDomainRegistry.com 581
Gname.com Pte. Ltd. 529
GoDaddy.com, LLC 509
NameCheap, Inc. 461

Targeted Brands

BrandDomains
coinbase 813
Crypto Casino / Gambling 781
across 545
Kraken 422
Ledger 364
MetaMask 265
x.com 213
Google 213

Top TLDs

.com3,816 .app991 .dev619 .io609 .xyz483 .ru453 .ai349 .org319

Hosting Countries

🇺🇸 US8,993 🇩🇪 DE647 🇸🇪 SE401 🇭🇰 HK390 🇳🇱 NL376 🇷🇺 RU97 🇫🇷 FR77 🇬🇧 GB75

Active Drainer Kits

Angel Drainer746 Wallet Connect Abuse418 Solana Drainer252 Inferno Drainer4 Ice Phishing2

December 2025 Domains (11,773)

Sorted by VirusTotal detections. Click any domain for full security report.

Screenshot of amazon-clone-lime-eight.vercel.app
amazon-clone-lime-eight.vercel.app
26 VTLive
Screenshot of amazon-clone-navy-eight.vercel.app
amazon-clone-navy-eight.vercel.app
26 VTLive
Screenshot of amazon-clone-navy-ten.vercel.app
amazon-clone-navy-ten.vercel.app
26 VTLive
Screenshot of netflix-clone-topaz-kappa.vercel.app
netflix-clone-topaz-kappa.vercel.app
26 VTLive
Screenshot of amazon-clone-plum-eight.vercel.app
amazon-clone-plum-eight.vercel.app
25 VTLive
Screenshot of easybank-landing-page-rho.vercel.app
easybank-landing-page-rho.vercel.app
25 VTLive
Screenshot of extension.egjidjbpglichdcondbcbdnbeeppgdph.com
extension.egjidjbpglichdcondbcbdnbeeppgdph.com
25 VTTaken Down
Screenshot of netflix-clone-6.vercel.app
netflix-clone-6.vercel.app
25 VTLive
Screenshot of netflix-clone-olive-mu.vercel.app
netflix-clone-olive-mu.vercel.app
25 VTLive
Screenshot of portal-e-devlet.com
portal-e-devlet.com
25 VTTaken Down
Screenshot of 6h603.com
6h603.com
24 VTTaken Down
Screenshot of amazon-clone-khaki-eight.vercel.app
amazon-clone-khaki-eight.vercel.app
24 VTLive
Screenshot of amazon-clone-seven-opal.vercel.app
amazon-clone-seven-opal.vercel.app
24 VTLive
Screenshot of bafybeifpqhyzn73oe4u5fepceonr6hbpvffuxj7vikwnwh3wkrp2v3blei.ipfs.infura-ipfs.io
bafybeifpqhyzn73oe4u5fepceonr6hbpvffuxj7vikwnwh3wkrp2v3blei.ipfs.infura-ipfs.io
24 VTTaken Down
Screenshot of cp-intermedia-controlpanel-login-webmail.babysuites.net
cp-intermedia-controlpanel-login-webmail.babysuites.net
24 VTTaken Down
Screenshot of easybank-project.vercel.app
easybank-project.vercel.app
24 VTLive
Screenshot of facebook-login-page-clone-gamma.vercel.app
facebook-login-page-clone-gamma.vercel.app
24 VTLive
Screenshot of flamita.click
flamita.click
24 VTTaken Down
Screenshot of netflix-clone-sigma-gules.vercel.app
netflix-clone-sigma-gules.vercel.app
24 VTTaken Down
Screenshot of rownowaga-invrevo.com
rownowaga-invrevo.com
24 VTTaken Down
Screenshot of verificaintesa.it
verificaintesa.it
24 VTTaken Down
Screenshot of www-roblox-com-frr-users-6048717178.vercel.app
www-roblox-com-frr-users-6048717178.vercel.app
24 VTLive
Screenshot of 977776i.cleansite.info
977776i.cleansite.info
23 VTTaken Down
Screenshot of almost-netflix.vercel.app
almost-netflix.vercel.app
23 VTLive
Screenshot of amazon-clone-cyan-ten.vercel.app
amazon-clone-cyan-ten.vercel.app
23 VTLive
Screenshot of amazon-clone-olive-eight.vercel.app
amazon-clone-olive-eight.vercel.app
23 VTLive
Screenshot of amazonbylio.vercel.app
amazonbylio.vercel.app
23 VTLive
Screenshot of audit-defi.com
audit-defi.com
23 VTTaken Down
Screenshot of bafybeifo2pid4d2xyk7cc2rncpemph3kljg5ylnovhdmdvw4khoq3uzlya.ipfs.infura-ipfs.io
bafybeifo2pid4d2xyk7cc2rncpemph3kljg5ylnovhdmdvw4khoq3uzlya.ipfs.infura-ipfs.io
23 VTTaken Down
Screenshot of basementselfsolve.com
basementselfsolve.com
23 VTTaken Down
Screenshot of bet405.cc
bet405.cc
23 VTTaken Down
Screenshot of blyaddddd.vercel.app
blyaddddd.vercel.app
23 VTLive
Screenshot of facebooklinksk.blogspot.com
facebooklinksk.blogspot.com
23 VTTaken Down
Screenshot of getinfo-netflix.com
getinfo-netflix.com
23 VTTaken Down
Screenshot of httpss-roblox.co
httpss-roblox.co
23 VTTaken Down
Screenshot of ledger.recovery.5930217.com
ledger.recovery.5930217.com
23 VTTaken Down
Screenshot of lhttps-www-roblox.com
lhttps-www-roblox.com
23 VTTaken Down
Screenshot of magenta-tenets-857917.framer.app
magenta-tenets-857917.framer.app
23 VTTaken Down
Screenshot of mailer3-dhl.mdbgo.io
mailer3-dhl.mdbgo.io
23 VTTaken Down
Screenshot of marthasvineyardbabysitters.net
marthasvineyardbabysitters.net
23 VT
Screenshot of netflix-clone-peach-kappa.vercel.app
netflix-clone-peach-kappa.vercel.app
23 VTTaken Down
Screenshot of netflix-clone-teal-six.vercel.app
netflix-clone-teal-six.vercel.app
23 VTTaken Down
Screenshot of o365.vip
o365.vip
23 VTTaken Down
Screenshot of opensea.io.marketplace-art.com
opensea.io.marketplace-art.com
23 VTTaken DownWallet Connect Abuse
Screenshot of phantom-backup.com
phantom-backup.com
23 VTTaken Down
Screenshot of portal.pkim.gallezone.lk
portal.pkim.gallezone.lk
23 VTTaken Down
Screenshot of rudrapratapsingh21.github.io
rudrapratapsingh21.github.io
23 VTLive
Screenshot of secure-coinbase-en-auth.daftpage.com
secure-coinbase-en-auth.daftpage.com
23 VTTaken Down
Screenshot of trezorsuite.at
trezorsuite.at
23 VTTaken Down
Screenshot of upholld-loggi05.godaddysites.com
upholld-loggi05.godaddysites.com
23 VTTaken Down
Screenshot of wha-web-whatsapp.com.cn
wha-web-whatsapp.com.cn
23 VTTaken Down
Screenshot of whatsapp-clone-frontend-liart.vercel.app
whatsapp-clone-frontend-liart.vercel.app
23 VTLive
Screenshot of 0365ff.com
0365ff.com
22 VTTaken Down
Screenshot of 1565999555.com
1565999555.com
22 VTTaken Down
Screenshot of 1565999999.com
1565999999.com
22 VTTaken Down
Screenshot of 195000000.com
195000000.com
22 VTTaken Down
Screenshot of 195111777.com
195111777.com
22 VTTaken Down
Screenshot of 195173.com
195173.com
22 VTTaken Down
Screenshot of 195222555.com
195222555.com
22 VTTaken Down
Screenshot of 1952266.com
1952266.com
22 VTTaken Down
1 2 3 4 ... Next »

Detection Trends

Monthly domain volume, kill rate, and live threats over time.

Monthly Detected Domains

Kill Rate %

Explore More

Related intelligence pages and data feeds.

Domain Hub

166,600+ domains with security reports

Live Threats

13,143 phishing sites still online

DestroyList on GitHub

Open-source daily phishing domain feeds

About PhishDestroy

Independent anti-phishing threat intelligence