Threat Intelligence Dashboard

September 2025 Report

Detailed threat intelligence for 7,306 phishing domains. Registrar abuse, drainer kits, targeted brands, and AI-generated expert assessment.

166,600Total Detected
144,147Taken Down
91.6%Kill Rate
93.5%VT Coverage
45,500Abuse Reports
Overview Jun 268,072 May 267,021 Apr 2615,633 Mar 2618,814 Feb 2642,095 Jan 268,924 Dec 2511,773 Nov 2512,578 Oct 258,841 Sep 257,306 Aug 253,788 Jul 25700 Jun 253
September 2025 Intelligence Report 92.9%
7,306
6,984
Taken Down
182
Still Live
95.6%
Kill Rate
4783h
Avg Response
4.7
Avg VT Score

In September 2025, PhishDestroy detected <strong>7,307</strong> phishing domains, marking a <strong>92.9%</strong> increase from the previous month, with a significant surge in activity on September 20th. The operational impact was notable with a takedown rate of <strong>82.2%</strong>, although the mean registrar response time remained high at <strong>3,828.5</strong> hours. Attackers continued to focus on the crypto sector, with <strong>Generic Crypto</strong> and <strong>SushiSwap</strong> as top targets, indicating a shift in targeting tactics. The dominance of the <strong>Angel Drainer</strong> kit suggests a persistent threat of wallet draining and seed theft for victims.

  • <strong>N/A</strong> leads in registrar abuse with <strong>819</strong> domains, followed closely by <strong>NICENIC INTERNATIONAL GROUP CO., LIMITED</strong> with <strong>721</strong> domains.
  • Crypto brands like <strong>Generic Crypto</strong> and <strong>SushiSwap</strong> were heavily targeted, overshadowing traditional sectors like banking.
  • The <strong>.com</strong> TLD remains the most weaponized with <strong>2,561</strong> domains, while <strong>.xyz</strong> and <strong>.live</strong> show growing abuse.
  • The <strong>Angel Drainer</strong> kit was used in <strong>1,120</strong> incidents, indicating a focus on wallet draining and seed theft.
  • The US hosts the majority of phishing infrastructure with <strong>5,931</strong> domains, but there is notable activity in <strong>Germany</strong> and <strong>Netherlands</strong>.
  • Detection-to-takedown efficiency remains challenged with a mean response time of <strong>3,828.5</strong> hours, necessitating faster registrar actions.
Outlook
Expect continued emphasis on crypto-targeted phishing, with potential diversification in drainer kit variants. Watch for increased activity from registrars like <strong>N/A</strong> and <strong>NICENIC INTERNATIONAL GROUP CO., LIMITED</strong>, which may require escalation. Defenders should prepare for heightened phishing activity around key crypto events and ensure rapid response capabilities.
Full Data on GitHub Browse All Domains Live Threats

Top Registrars

RegistrarDomains
NiceNIC International Group Co., Limited 774
Web Commerce Communications Limited 677
PDR Ltd. d/b/a PublicDomainRegistry.com 595
Dynadot LLC 549
NameSilo, LLC 512
OwnRegistrar, Inc. 365
NameCheap, Inc. 362
Cloudflare, Inc. 325

Targeted Brands

BrandDomains
across 737
SushiSwap 398
Airdrop Scam 271
Solana 269
ethereum 210
Ledger 201
binance 178
metamask 155

Top TLDs

.com2,560 .xyz748 .live390 .app335 .org315 .net190 .top178 .io133

Hosting Countries

🇺🇸 US5,992 🇩🇪 DE316 🇳🇱 NL192 🇷🇺 RU100 🇭🇰 HK74 🇬🇧 GB58 🇨🇦 CA44 FI39

Active Drainer Kits

Angel Drainer1,120 Solana Drainer332 Wallet Connect Abuse305 Ice Phishing12 Inferno Drainer5

September 2025 Domains (7,306)

Sorted by VirusTotal detections. Click any domain for full security report.

Screenshot of roblox.com.py
roblox.com.py
23 VTTaken Down
Screenshot of roblox.gs
roblox.gs
21 VTTaken Down
Screenshot of roblox.mq
roblox.mq
21 VTTaken Down
Screenshot of chain-keflex-2u.com
chain-keflex-2u.com
20 VTLive
Screenshot of www.paypal-securecheck-update.com
www.paypal-securecheck-update.com
20 VTTaken Down
Screenshot of 118924-coinbase.com
118924-coinbase.com
19 VTTaken Down
Screenshot of ai-pro-iplex-soft.com
ai-pro-iplex-soft.com
19 VTTaken Down
Screenshot of crypto-capitalapp.com
crypto-capitalapp.com
19 VTTaken Down
Screenshot of immediate-galaxy-app.com
immediate-galaxy-app.com
19 VTTaken Down
Screenshot of immediateluxsoft.com
immediateluxsoft.com
19 VTTaken Down
Screenshot of ledger-live-com-firmwareupdate.eggpco.com
ledger-live-com-firmwareupdate.eggpco.com
19 VTTaken Down
Screenshot of maniventresync.on-fleek.app
maniventresync.on-fleek.app
19 VTTaken Down
Screenshot of phantomw.net
phantomw.net
19 VTTaken Down
Screenshot of stake-world.com
stake-world.com
19 VTTaken Down
Screenshot of steamcommunnitty.cc
steamcommunnitty.cc
19 VTTaken Down
Screenshot of 24robinhoodtradingoption.com
24robinhoodtradingoption.com
18 VTTaken Down
Screenshot of 3011m3011.com
3011m3011.com
18 VTTaken Down
Screenshot of aiwinglet-1000.com
aiwinglet-1000.com
18 VTTaken Down
Screenshot of auth-secure.pt
auth-secure.pt
18 VTTaken Down
Screenshot of btc-750esamx.net
btc-750esamx.net
18 VTTaken Down
Screenshot of btc-esamx.com
btc-esamx.com
18 VTLive
Screenshot of btc-income-app.com
btc-income-app.com
18 VTLive
Screenshot of chain-flomaxlab.com
chain-flomaxlab.com
18 VTTaken Down
Screenshot of coinbase-550912.com
coinbase-550912.com
18 VTTaken Down
Screenshot of debank.com-en-us.network
debank.com-en-us.network
18 VTTaken DownSolana Drainer
Screenshot of edgevaultra-solution.com
edgevaultra-solution.com
18 VTTaken Down
Screenshot of farmpancake.com
farmpancake.com
18 VTTaken Down
Screenshot of godprox.cc
godprox.cc
18 VTTaken Down
Screenshot of ledger-com-firmwareupdates.nordskills.eu
ledger-com-firmwareupdates.nordskills.eu
18 VTTaken Down
Screenshot of ledger-com-start-start-us-app.typedream.app
ledger-com-start-start-us-app.typedream.app
18 VTTaken Down
Screenshot of metamask.escae.inphb.ci
metamask.escae.inphb.ci
18 VTTaken Down
Screenshot of remaskoline.cc
remaskoline.cc
18 VTTaken Down
Screenshot of zylerion-app.com
zylerion-app.com
18 VTTaken Down
Screenshot of aml-trust.info
aml-trust.info
17 VTTaken DownWallet Connect Abuse
Screenshot of aster-investing.com
aster-investing.com
17 VTTaken DownAngel Drainer
Screenshot of btc-750-esamx.com
btc-750-esamx.com
17 VTLive
Screenshot of btc-edone.com
btc-edone.com
17 VTTaken Down
Screenshot of btc-esamx20.com
btc-esamx20.com
17 VTTaken Down
Screenshot of bybit-cfp.com
bybit-cfp.com
17 VTTaken Down
Screenshot of coinbase-wallet-online.typedream.app
coinbase-wallet-online.typedream.app
17 VTTaken Down
Screenshot of coinex.plus
coinex.plus
17 VTTaken Down
Screenshot of cs2bus.com
cs2bus.com
17 VTTaken Down
Screenshot of dapps-debug.firebaseapp.com
dapps-debug.firebaseapp.com
17 VTTaken DownWallet Connect Abuse
Screenshot of distributed-signal-clustered.com
distributed-signal-clustered.com
17 VTTaken Down
Screenshot of easywalletconnect.com
easywalletconnect.com
17 VTTaken Down
Screenshot of ethereum-mixer.io
ethereum-mixer.io
17 VTTaken Down
Screenshot of ff-exchange.app
ff-exchange.app
17 VTTaken Down
Screenshot of foundation-github.com
foundation-github.com
17 VTTaken Down
Screenshot of gitcoin-passport.com
gitcoin-passport.com
17 VTTaken Down
Screenshot of htex-panel.at
htex-panel.at
17 VTTaken Down
Screenshot of kryptomixer.io
kryptomixer.io
17 VTTaken Down
Screenshot of ladgerstart.com
ladgerstart.com
17 VTTaken Down
Screenshot of laodx.cn
laodx.cn
17 VTTaken Down
Screenshot of ledger.userdiagnosis.com
ledger.userdiagnosis.com
17 VTTaken Down
Screenshot of login.workshopmodsaward.com
login.workshopmodsaward.com
17 VTTaken Down
Screenshot of me-erc20.cc
me-erc20.cc
17 VTTaken Down
Screenshot of mp.pancake.run
mp.pancake.run
17 VTTaken Down
Screenshot of myapple.webflow.io
myapple.webflow.io
17 VTTaken Down
Screenshot of online-giris.duckdns.org
online-giris.duckdns.org
17 VTTaken Down
Screenshot of pancake-v4.swap-dashboard-v3.app
pancake-v4.swap-dashboard-v3.app
17 VTTaken DownAngel Drainer
1 2 3 4 ... Next »

Detection Trends

Monthly domain volume, kill rate, and live threats over time.

Monthly Detected Domains

Kill Rate %

Explore More

Related intelligence pages and data feeds.

Domain Hub

166,600+ domains with security reports

Live Threats

13,143 phishing sites still online

DestroyList on GitHub

Open-source daily phishing domain feeds

About PhishDestroy

Independent anti-phishing threat intelligence