# PhishDestroy threat dossier — advanceddatasrecovery.com ================================================================ Fetched: 2026-07-02 01:30:35 UTC Canonical: https://phishdestroy.io/domain/advanceddatasrecovery.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 75/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/91 security vendors flagged this domain AlienVault OTX: 1 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 163.61.188.7 (US, Staten Island) ASN: AS153568 NEW DHAKA HARDWARE Hosting org: MIT Registrar: NAMECHEAP INC Nameservers: dns1.lytehosting.com, dns2.lytehosting.com, dns3.lytehosting.com, dns4.lytehosting.com Registered: 2026-01-17 Expires: 2027-01-17 Page title: Advanced Data Recovery - Data Security Services Agency. ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-08-17 Status: INVALID chain Fingerprint: 14d44e20a7d6b5e7d485bad92c047637a54c1b6b96d9aec7d34e02670beb02b3 Subject Alternative Names (related infrastructure — often same operator): - advanceddatasrecovery.com.greyvestbk.com - www.advanceddatasrecovery.com.greyvestbk.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-01-17 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-01 03:56:44 UTC (by PhishDestroy tracker) First reported: 2026-07-01 02:09:30 UTC (abuse notice filed) Last verified: 2026-07-02 00:20:34 UTC Neutralised: 2026-07-01 12:02:52 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f1b63-4dce-71ca-99c8-ef5c7d9a48be/ URLQuery: https://urlquery.net/report/dc93f073-ac7a-4eac-8d12-3bb167dc009a Wayback Machine: https://web.archive.org/web/*/advanceddatasrecovery.com crt.sh CT logs: https://crt.sh/?q=%25.advanceddatasrecovery.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=advanceddatasrecovery.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/advanceddatasrecovery.com URLhaus: https://urlhaus.abuse.ch/host/advanceddatasrecovery.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-01 04:56:33 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, advanceddatasrecovery.com, is currently under investigation for credential theft targeting individuals and organizations by impersonating a legitimate data recovery and security service agency. The site presents itself as the 'Advanced Data Recovery - Data Security Services Agency,' a fabricated entity designed to deceive victims into submitting sensitive login credentials, personal data, or financial information under false pretenses. As of the latest assessment, the domain remains active and has not yet been widely flagged by security vendors, though intelligence sources indicate emerging concerns. Infrastructure analysis reveals several technical indicators of potential malicious intent. The domain was registered on January 17, 2026, through NAMECHEAP INC, a registrar frequently associated with newly created fraudulent sites. It resolves to the IP address 163.61.188.7, which has not been previously linked to known legitimate services. Despite its recent creation, the domain has already appeared in one threat intelligence pulse on AlienVault OTX, suggesting early detection by automated monitoring systems. The site employs a Let's Encrypt SSL certificate, a common tactic among threat actors to create a false sense of security. Notably, VirusTotal reports 0 detections out of 95 vendors, indicating that the domain has not yet been broadly recognized as malicious, though this does not preclude its use in active credential theft campaigns. The Gridinsoft trust score of 0 out of 100 further underscores the high-risk nature of this domain. Current evidence suggests that advanceddatasrecovery.com is part of an evolving credential theft operation, likely targeting users seeking data recovery services. While the domain has not yet been widely blocked, the combination of a newly registered domain, low trust scores, and presence in threat intelligence feeds warrants immediate caution. Organizations and individuals are advised to block access to this domain at the network level and flag it in security monitoring systems. End users should be educated to recognize the signs of credential theft, including unsolicited requests for login details or personal information from unverified service providers. Security teams are recommended to monitor for connections to 163.61.188.7 and correlate any activity with potential phishing incidents. Proactive measures, such as domain reputation checks and endpoint protection updates, should be prioritized to mitigate exposure to this threat. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260701-80F551 Favicon MD5: cf0b96892e3982f4d7e9573567e3eda7 TLS cert SHA-256: 14d44e20a7d6b5e7d485bad92c047637a54c1b6b96d9aec7d34e02670beb02b3 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/advanceddatasrecovery.com/ JSON API: https://api.destroy.tools/v1/check?domain=advanceddatasrecovery.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 173,583 domains (13,714 alive under monitoring, 159,163 confirmed takedowns/dead). Site: https://phishdestroy.io