# PhishDestroy threat dossier — ailiquid.ai-cryptolist.net ================================================================ Fetched: 2026-04-22 08:37:35 UTC Canonical: https://phishdestroy.io/domain/ailiquid.ai-cryptolist.net/ ## VERDICT ---------------------------------------------------------------- HIGH THREAT — malicious activity confirmed Composite threat score: 69/100 (PhishDestroy scoring — see methodology below) Scam classification: Fake Exchange ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/94 security vendors flagged this domain Flagging vendors: SOCRadar ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 104.21.68.219 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: Key-Systems GmbH Nameservers: melissa.ns.cloudflare.com, miles.ns.cloudflare.com Registered: 2025-11-05 HTTP response: 403 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-06-01 Status: INVALID chain Fingerprint: 18dfe24639ec60ba5c881e9c2c4cdd0fcaa48735bc5fdb859e2feada71784596 Subject Alternative Names (related infrastructure — often same operator): - ai-cryptolist.net ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2025-11-05 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-11 03:14:56 UTC (by PhishDestroy tracker) Last verified: 2026-04-21 16:11:27 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019d79e0-85af-75cb-bee3-2eb5a5ade86c/ Wayback Machine: https://web.archive.org/web/*/ailiquid.ai-cryptolist.net crt.sh CT logs: https://crt.sh/?q=%25.ailiquid.ai-cryptolist.net Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=ailiquid.ai-cryptolist.net AlienVault OTX: https://otx.alienvault.com/indicator/domain/ailiquid.ai-cryptolist.net URLhaus: https://urlhaus.abuse.ch/host/ailiquid.ai-cryptolist.net/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-11 03:17:05 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies ailiquid.ai-cryptolist.net as an active cryptocurrency drainer phishing domain specifically designed to trick users into connecting their wallets and unknowingly draining funds. The domain mimics legitimate crypto portfolio tracking services by hosting a fraudulent interface that prompts wallet connections under the guise of portfolio analysis or token listings. Once a victim connects their wallet via the embedded Web3 provider integration, the drainer silently executes token approvals and transfers, siphoning assets to attacker-controlled addresses. This scheme capitalizes on FOMO (fear of missing out) within crypto communities by advertising fake exclusive airdrops or liquidity mining opportunities through fake social media promotions or compromised influencer accounts. Users who interact with this domain risk irreversible wallet compromise and financial loss, as the drainer exploits standard wallet signatures to authorize malicious contract interactions without requiring private key theft. Technical analysis reveals this domain operates from IP 104.21.68.219 and was registered through Key-Systems GmbH on November 5, 2025, indicating very recent establishment likely intended to evade long-term reputation-based detection systems. Despite leveraging a Google Trust Services SSL certificate to appear legitimate, the domain currently registers 0 detections out of 95 engines on VirusTotal, demonstrating that signature-based antivirus solutions have not yet caught up to this threat. The campaign's short-lived nature, combined with the lack of current blocklist coverage, suggests operators are rapidly cycling domains to maintain operational tempo while avoiding detection. The combination of recent domain age, low detection rate, and sophisticated drainer logic elevates this threat beyond typical phishing operations, warranting immediate attention from crypto security teams and wallet providers. Users who have visited ailiquid.ai-cryptolist.net or interacted with its fraudulent interface should immediately revoke any token approvals granted to unknown contracts through blockchain explorer tools such as Etherscan's token approval checker or dedicated revoke services like revoke.cash. Disconnect the connected wallet from all dApps and browser extensions, transfer remaining assets to a new wallet with a different address, and thoroughly scan all devices for malware that may have facilitated the initial compromise. This domain should be reported to PhishDestroy through their browser extension or web portal to accelerate takedown efforts and protect the broader crypto community from similar campaigns. Security teams should also monitor for related artifacts including associated Ethereum addresses, DNS records, and any infrastructure sharing the same IP range to conduct broader threat hunting operations. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: df514a3d619cf73e361b6a3194d9c80b TLS cert SHA-256: 18dfe24639ec60ba5c881e9c2c4cdd0fcaa48735bc5fdb859e2feada71784596 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/ailiquid.ai-cryptolist.net/ JSON API: https://api.destroy.tools/v1/check?domain=ailiquid.ai-cryptolist.net Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io