# PhishDestroy threat dossier — airdrop-sharex.live
================================================================

Fetched:   2026-06-26 21:23:24 UTC
Canonical: https://phishdestroy.io/domain/airdrop-sharex.live/

## VERDICT
----------------------------------------------------------------
TAKEN DOWN (neutralised)
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Airdrop Scam

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      12/95 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, Chong Lua Dao, CRDF, CyRadar, Forcepoint ThreatSeeker, Fortinet, G-Data, Kaspersky, Lionic, Sophos
Public blocklists: listed on 3 independent blocklists

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      172.67.169.5 (US, San Francisco)
ASN:             ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US
Hosting org:     AS13335 Cloudflare, Inc.
Registrar:       PDR Ltd. d/b/a PublicDomainRegistry.com
Nameservers:     adam.ns.cloudflare.com, danica.ns.cloudflare.com
Registered:      2026-05-08
Expires:         2027-05-08
Page title:      Just a moment...

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: CLOSED — no report required.
This domain was neutralised before the abuse-report cycle could be dispatched — either
the hosting provider / registrar suspended it on their own, the DNS went dead, or the
operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file
for audit but no formal notice was sent.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-05-08 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-06-24 20:59:06 UTC (by PhishDestroy tracker)
First reported:    2026-06-24 19:00:25 UTC (abuse notice filed)
Last verified:     2026-06-26 23:15:19 UTC
Neutralised:       2026-06-25 03:04:03 UTC
Current status:    taken down (registrar suspended or DNS dead)

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019efaff-21ee-77bc-8e90-f03b8d31ecd5/
Wayback Machine:  https://web.archive.org/web/*/airdrop-sharex.live
crt.sh CT logs:   https://crt.sh/?q=%25.airdrop-sharex.live
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=airdrop-sharex.live
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/airdrop-sharex.live
URLhaus:          https://urlhaus.abuse.ch/host/airdrop-sharex.live/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-06-24 21:00:08 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy has flagged airdrop-sharex.live as an active crypto drainer domain under investigation, posing a direct threat to cryptocurrency holders and users seeking legitimate airdrops. This domain is engineered to deceive visitors into connecting their wallets under false pretenses, such as fake token airdrops or reward claims, and then draining funds through malicious smart contract interactions. The threat is not theoretical—this domain is currently live and operational, with infrastructure actively resolving to a known hosting provider to facilitate fraudulent activities. Users who interact with this domain risk unauthorized transactions, token theft, or complete wallet compromise.  This domain exhibits multiple red flags confirmed by PhishDestroy’s threat intelligence. VirusTotal currently reports 12 out of 95 antivirus engines detecting the domain as malicious, indicating it has not yet been widely blacklisted despite its active status. The domain was registered through PDR Ltd. d/b/a PublicDomainRegistry.com on May 08, 2026—recently, suggesting a short operational window designed to exploit time-sensitive opportunities. It resolves to IP address 104.21.54.203, which is associated with cloud hosting infrastructure commonly abused by cybercriminals to host fraudulent services. While detection rates remain low, the combination of recent registration, cloud hosting, and the confirmed presence of a crypto drainer payload underscores high risk. The absence of detections does not equate to safety—it often reflects lag in threat intelligence updates.  If you have visited airdrop-sharex.live, disconnect your wallet immediately and revoke any unauthorized permissions through your wallet’s settings or trusted platforms like Etherscan or Solscan. Do not approve any pending transactions or smart contract interactions. Scan your device for malware using reputable antivirus software, as crypto drainers often bundle keyloggers or clipboard hijackers. Report the domain to PhishDestroy and your wallet provider to help disrupt the threat actor’s operations. Avoid reusing wallet addresses or seed phrases across platforms, and enable hardware wallet authentication for high-value assets. Stay vigilant: crypto drainers evolve rapidly, and domains with zero detections today may become widespread threats tomorrow. Always verify URLs through PhishDestroy before engaging with any airdrop or reward-related websites.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260624-593F92
Favicon MD5:       d863555befbabd533778317023a9d2c2

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/airdrop-sharex.live/
JSON API:          https://api.destroy.tools/v1/check?domain=airdrop-sharex.live
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 170,600 domains (12,289 alive under monitoring, 157,922 confirmed takedowns/dead). Site: https://phishdestroy.io