# PhishDestroy threat dossier — access-ethana.online ================================================================ Fetched: 2026-05-26 18:07:34 UTC Canonical: https://phishdestroy.io/domain/access-ethana.online/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: Ethereum ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/91 security vendors flagged this domain Flagging vendors: Gridinsoft Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 162.254.39.253 (US, Los Angeles) ASN: AS22612 Namecheap, Inc. Hosting org: Namecheap, Inc. Registrar: NameCheap, Inc. Nameservers: ["dns1.namecheaphosting.com", "dns2.namecheaphosting.com"] Registered: 2026-05-21 Page title: App | Ethena ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Sectigo Limited / Sectigo Public Server Authentication CA DV R36 Expires: 2026-12-03 Status: INVALID chain Fingerprint: 92bd2c2f577028cc4fcf4adcd38b48aa4da1d446b2de29da05ba9da8c555b784 Subject Alternative Names (related infrastructure — often same operator): - www.access-ethana.online ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-21 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-21 11:48:31 UTC (by PhishDestroy tracker) Last verified: 2026-05-26 17:20:26 UTC Neutralised: 2026-05-26 12:27:43 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e49b6-db5f-778b-a91e-f1b70440d080/ Wayback Machine: https://web.archive.org/web/*/access-ethana.online crt.sh CT logs: https://crt.sh/?q=%25.access-ethana.online Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=access-ethana.online AlienVault OTX: https://otx.alienvault.com/indicator/domain/access-ethana.online URLhaus: https://urlhaus.abuse.ch/host/access-ethana.online/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-21 11:49:20 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies access-ethana.online as an active Ethereum wallet phishing domain designed to harvest private keys and seed phrases under the guise of a secure login portal. This fraudulent site mimics legitimate Ethereum wallet interfaces, tricking visitors into entering sensitive credentials that attackers can immediately exfiltrate to drain wallets. Given the domain’s recent creation on May 19, 2026, its registration through Namecheap Inc., and current residence on IP 162.254.39.253, it exemplifies fast-flux hosting infrastructure commonly used by phishing actors to evade takedowns. The absence of VirusTotal detections (0/95) highlights the danger of relying solely on antivirus engines, as novel phishing domains often remain undetected until widespread reports accumulate. This domain was flagged by PhishDestroy’s seed 601947 after automated analysis confirmed its malicious intent. Registrar records show registration through Namecheap Inc., a popular domain provider often exploited for bulk phishing campaigns due to lax identity verification. The domain resolves to IP 162.254.39.253, which hosts multiple phishing portals leveraging Sectigo SSL certificates to mimic legitimate services. Despite 0 detections on VirusTotal as of the latest scan, domain age analysis reveals a freshly registered domain (May 19, 2026), a common tactic used by threat actors to prolong operational uptime before blacklisting begins. These technical indicators collectively classify the domain as an active phishing threat vector targeting cryptocurrency users. If users have visited access-ethana.online, they should immediately revoke any entered credentials on legitimate Ethereum wallet platforms, transfer remaining funds to a newly generated wallet with a strong seed phrase, and scan local devices for malware using reputable antivirus tools. Users should also report the domain to their wallet provider and add the URL to browser-based blocklists or ad-blocker filter lists to prevent future visits. Cryptocurrency holders are advised to enable hardware wallet integration and multi-signature schemes to mitigate risks associated with credential harvesting attacks. Always verify website authenticity via official channels before entering sensitive information. [Updates since narrative was generated:] - VirusTotal detections: now 1/91 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: d3b9c0228b57d73308234e3ae1962fad TLS cert SHA-256: 92bd2c2f577028cc4fcf4adcd38b48aa4da1d446b2de29da05ba9da8c555b784 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/access-ethana.online/ JSON API: https://api.destroy.tools/v1/check?domain=access-ethana.online Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 153,839 domains (29,180 alive under monitoring, 122,657 confirmed takedowns/dead). Site: https://phishdestroy.io