Threat Intelligence Dashboard

March 2026 Report

Detailed threat intelligence for 18,814 phishing domains. Registrar abuse, drainer kits, targeted brands, and AI-generated expert assessment.

166,629Total Detected

144,237Taken Down

91.7%Kill Rate

93.5%VT Coverage

45,506Abuse Reports

Overview Jun 268,101 May 267,021 Apr 2615,633 Mar 2618,814 Feb 2642,095 Jan 268,924 Dec 2511,773 Nov 2512,578 Oct 258,841 Sep 257,306 Aug 253,788 Jul 25700 Jun 253

March 2026 Intelligence Report 55.3%

18,814

15,602

Taken Down

2,096

Still Live

82.9%

Kill Rate

375h

Avg Response

6.5

Avg VT Score

In March 2026, PhishDestroy detected <strong>6,635</strong> phishing domains, marking a <strong>63.6%</strong> decrease from the previous month. Despite this reduction, <strong>3,124</strong> domains remain active, highlighting a takedown rate of only <strong>52.6%</strong>. Attackers continue to focus on cryptocurrency platforms, with <strong>Coinbase</strong> and <strong>Exodus</strong> being the top targets. The operational impact is significant, as the takedown rate remains below the desired threshold, indicating a need for improved response times from registrars, particularly <strong>NICENIC INTERNATIONAL GROUP CO., LIMITED</strong> and <strong>Cloudflare, Inc.</strong>.

<strong>NICENIC INTERNATIONAL GROUP CO., LIMITED</strong> is the top abused registrar with <strong>1,334</strong> domains, necessitating immediate escalation.
Cryptocurrency platforms, especially <strong>Coinbase</strong> and <strong>Exodus</strong>, are under sustained attack, with <strong>86</strong> and <strong>72</strong> domains respectively.
The <strong>.com</strong> TLD remains the most weaponized with <strong>2,369</strong> domains, followed by <strong>.dev</strong> and <strong>.app</strong>.
The <strong>Solana Drainer</strong> kit is prevalent, used in <strong>105</strong> instances, posing a significant threat of wallet drains for victims.
Peak detection days were <strong>March 2nd</strong> and <strong>March 5th</strong>, indicating concentrated phishing campaigns.
Mean registrar response time is <strong>47.3 hours</strong>, suggesting room for improvement in takedown efficiency.

Outlook

Looking ahead to April 2026, defenders should remain vigilant against cryptocurrency-targeted phishing, particularly involving <strong>Solana Drainer</strong> kits. Registrars like <strong>NICENIC INTERNATIONAL GROUP CO., LIMITED</strong> and <strong>Cloudflare, Inc.</strong> require continued monitoring and pressure to enhance their response times. Expect potential shifts in TLD usage as attackers adapt to increased scrutiny.

Full Data on GitHub Browse All Domains Live Threats

Top Registrars

Registrar	Domains
CloudFlare, Inc.	4,008
NICENIC INTERNATIONAL GROUP CO., LIMITED	3,476
PDR Ltd. d/b/a PublicDomainRegistry.com	863
Dynadot LLC	670
GoDaddy.com, LLC	668
Gname.com Pte. Ltd.	666
NameSilo, LLC	575
Ultahost, Inc.	483

Targeted Brands

Brand	Domains
Ledger	1,355
Kraken	409
Trezor	372
Solana	333
Airdrop Scam	299
OKX	288
across	281
google	248

Top TLDs

Hosting Countries

Active Drainer Kits

March 2026 Domains (18,814)

Sorted by VirusTotal detections. Click any domain for full security report.

Screenshot of payment.ads-program-agency.com

payment.ads-program-agency.com

23 VTTaken Down

Screenshot of paypal-account-login.eliaswebstudio.com

paypal-account-login.eliaswebstudio.com

23 VTTaken Down

Screenshot of ridistrict.com

23 VTTaken Down

Screenshot of robiox.com.gr

23 VTTaken Down

Screenshot of safearea.putunesimbah.de

safearea.putunesimbah.de

23 VTTaken Down

Screenshot of share-instagram.com

share-instagram.com

23 VTTaken Down

Screenshot of sp1-d.jp

23 VTTaken Down

Screenshot of sprightly-longma-4a5bc1.netlify.app

sprightly-longma-4a5bc1.netlify.app

Screenshot of tk-h5.spys1010.vip

tk-h5.spys1010.vip

23 VTTaken Down

Screenshot of tk8879.com

23 VTTaken Down

Screenshot of twezygame.xyz

23 VTTaken Down

Screenshot of usherkomugisha.com

usherkomugisha.com

Screenshot of w64x.xyz

23 VTTaken Down

Screenshot of w65v.xyz

23 VTTaken Down

23 VTTaken Down

23 VTTaken Down

Screenshot of westandard.appwrite.network

westandard.appwrite.network

23 VTTaken Down

Screenshot of what-apps.com

23 VTTaken Down

Screenshot of whatscvpp.top

23 VTTaken Down

Screenshot of xxzye-d.santxye.biz.id

xxzye-d.santxye.biz.id

23 VTTaken Down

Screenshot of zelleapayhelplinenumber.webflow.io

zelleapayhelplinenumber.webflow.io

23 VTTaken Down

Screenshot of 121jio.luxemte.cc

121jio.luxemte.cc

22 VTTaken Down

Screenshot of 63390.xyz

22 VTTaken Down

Screenshot of 68147.xyz

22 VTTaken Down

Screenshot of 8563-coinbase.com

8563-coinbase.com

22 VTTaken Down

Screenshot of acceso-ya1.webcindario.com

acceso-ya1.webcindario.com

22 VTTaken Down

Screenshot of accounts.bmwweb.cc

accounts.bmwweb.cc

22 VTTaken Down

Screenshot of adobedrive-developproject.appwrite.network

adobedrive-developproject.appwrite.network

22 VTTaken Down

Screenshot of aktivasiixm-payllterdna.luciferxyz.biz.id

aktivasiixm-payllterdna.luciferxyz.biz.id

22 VTTaken Down

Screenshot of allegro.2398g9848394.cyou

allegro.2398g9848394.cyou

22 VTTaken Down

Screenshot of allegro.pruwtao367201.cfd

allegro.pruwtao367201.cfd

22 VTTaken Down

Screenshot of allegrolokalne.sbs

allegrolokalne.sbs

22 VTTaken Down

Screenshot of amazon-clone-tau-lemon-59.vercel.app

amazon-clone-tau-lemon-59.vercel.app

Screenshot of amazon-clone-three-sandy.vercel.app

amazon-clone-three-sandy.vercel.app

Screenshot of amazon.deviceperks.com

amazon.deviceperks.com

Screenshot of amazonwebclone.vercel.app

amazonwebclone.vercel.app

Screenshot of apply-black.vercel.app

apply-black.vercel.app

Screenshot of at-t-mail-16b827.webflow.io

at-t-mail-16b827.webflow.io

22 VTTaken Down

Screenshot of b249n.xyz

22 VTTaken Down

Screenshot of bafkreictgoqh23cwflhs54whbr4qfmydt6b37wkeai4mie7vdq3tcistxe.ipfs.dweb.link

bafkreictgoqh23cwflhs54whbr4qfmydt6b37wkeai4mie7vdq3tcistxe.ipfs.dweb.link

22 VTTaken Down

Screenshot of bet426.cc

22 VTTaken Down

Screenshot of centre-backup-exodus-com-u.vercel.app

centre-backup-exodus-com-u.vercel.app

22 VTTaken Down

Screenshot of chartreuse-color-879469.framer.app

chartreuse-color-879469.framer.app

22 VTTaken Down

Screenshot of coiniybessiprrologn.godaddysites.com

coiniybessiprrologn.godaddysites.com

22 VTTaken Down

Screenshot of cyrexmods.to

22 VTTaken Down

Screenshot of dainty-faloodeh-f44b02.netlify.app

dainty-faloodeh-f44b02.netlify.app

22 VTTaken Down

Screenshot of dana-bantuan.official-helpp.web.id

dana-bantuan.official-helpp.web.id

22 VTTaken Down

Screenshot of danon.rajawaliabadistore.my.id

danon.rajawaliabadistore.my.id

22 VTTaken Down

Screenshot of dappaccesswallets.netlify.app

dappaccesswallets.netlify.app

Screenshot of discord.imms.top

discord.imms.top

22 VTTaken Down

Screenshot of dnaazxformnn.stormiexyz.my.id

dnaazxformnn.stormiexyz.my.id

22 VTTaken Down

Screenshot of dotnotblock-pfwzl61nwt.edgeone.app

dotnotblock-pfwzl61nwt.edgeone.app

22 VTTaken Down

Screenshot of dvo-a.com

22 VTTaken Down

Screenshot of e138a.xyz

22 VTTaken Down

Screenshot of easy-bank-landing-page-ecru.vercel.app

easy-bank-landing-page-ecru.vercel.app

Screenshot of event-pancakeswap.app

event-pancakeswap.app

22 VTTaken Down

Screenshot of extrabet2451.com

extrabet2451.com

22 VTTaken Down

Screenshot of extraordinary-pastelito-8d4c5e.netlify.app

extraordinary-pastelito-8d4c5e.netlify.app

Screenshot of facebook-clone-nu-nine.vercel.app

facebook-clone-nu-nine.vercel.app

Screenshot of facebook-clone-theta-nine.vercel.app

facebook-clone-theta-nine.vercel.app

Detection Trends

Monthly domain volume, kill rate, and live threats over time.

Monthly Detected Domains

Kill Rate %

Explore More

Related intelligence pages and data feeds.

Domain Hub

166,629+ domains with security reports

Live Threats

13,073 phishing sites still online

DestroyList on GitHub

Open-source daily phishing domain feeds

About PhishDestroy

Independent anti-phishing threat intelligence