# PhishDestroy threat dossier — agavechido.com
================================================================

Fetched:   2026-05-31 00:29:38 UTC
Canonical: https://phishdestroy.io/domain/agavechido.com/

## VERDICT
----------------------------------------------------------------
TAKEN DOWN (neutralised)
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Aave

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      0/91 security vendors flagged this domain
Public blocklists: listed on 3 independent blocklists

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      45.9.148.106 (NL, Amsterdam)
ASN:             AS49447 Nice IT Services Group Inc.
Hosting org:     Nice IT Services Group Inc.
Registrar:       Webcentral Group Ltd
Nameservers:     ns1.mysecurecloudhost.com, ns2.mysecurecloudhost.com, ns3.mysecurecloudhost.com, ns4.mysecurecloudhost.com
Registered:      2025-11-20
Page title:      Arbitrum Ecosystem Reward | ARB Distribution Program
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / R12
Expires:    2026-08-01
Status:     INVALID chain
Fingerprint: 53d6bcd52ffd6de6ce64456754adf2773613a3f56aff935208b181264119d49b
Subject Alternative Names (related infrastructure — often same operator):
  - www.agavechido.com

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: CLOSED — no report required.
This domain was neutralised before the abuse-report cycle could be dispatched — either
the hosting provider / registrar suspended it on their own, the DNS went dead, or the
operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file
for audit but no formal notice was sent.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2025-11-20 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-05-03 22:05:05 UTC (by PhishDestroy tracker)
First reported:    2026-05-03 19:06:03 UTC (abuse notice filed)
Last verified:     2026-05-31 01:30:03 UTC
Neutralised:       2026-05-12 02:44:19 UTC
Current status:    taken down (registrar suspended or DNS dead)

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019def39-f8a4-731b-944e-607c4c740f6e/
URLQuery:         https://urlquery.net/report/4059e9b4-34cf-4c18-8fe3-060bf798ccdd
Wayback Machine:  https://web.archive.org/web/*/agavechido.com
crt.sh CT logs:   https://crt.sh/?q=%25.agavechido.com
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=agavechido.com
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/agavechido.com
URLhaus:          https://urlhaus.abuse.ch/host/agavechido.com/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-05-03 22:06:04 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies agavechido.com as a domain actively impersonating the decentralized finance protocol Aave, a leading blockchain-based liquidity protocol. This domain is currently under investigation for brand impersonation and poses a high risk of phishing-related fraud, including credential theft and cryptocurrency wallet compromise. The threat actor leverages visual and functional mimicry to deceive users into interacting under false pretenses, targeting victims within the crypto ecosystem who may be less familiar with domain verification practices.  The domain agavechido.com was registered on November 20, 2025, through Webcentral Group Ltd, a domain registrar headquartered in Australia. It resolves to the IPv4 address 45.9.148.106 and is secured with a Let's Encrypt SSL certificate, a common tactic used to lend superficial legitimacy to malicious sites. As of the latest assessment, agavechido.com shows 0 detections out of 95 VirusTotal vendor engines, indicating a low immediate signature-based detection rate. Despite this, the domain remains unlisted on major threat intelligence blocklists and exhibits immature infrastructure, with no prior domain reputation history. Trust scores from threat intelligence platforms remain critically low, further supporting its suspicious classification.  Given the active status of agavechido.com and its clear intent to mimic Aave’s branding, users are strongly advised to avoid accessing this domain or entering any sensitive information, including wallet addresses, private keys, or transaction approvals. Users should verify website URLs using official Aave channels and consider using browser extensions that flag known impersonation sites. Blocklists should be updated immediately by security teams, and network defenders are encouraged to block traffic to the associated IP address and monitor for related domains registered through the same registrar. All crypto-related interactions should be conducted only via verified, bookmarked links to prevent exposure to this and similar impersonation campaigns.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260503-91C881
Favicon MD5:       3c1378d54608925fe1dff523c02e4f7a
TLS cert SHA-256:      53d6bcd52ffd6de6ce64456754adf2773613a3f56aff935208b181264119d49b

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/agavechido.com/
JSON API:          https://api.destroy.tools/v1/check?domain=agavechido.com
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 156,155 domains (35,598 alive under monitoring, 119,407 confirmed takedowns/dead). Site: https://phishdestroy.io