# PhishDestroy threat dossier — aispa.uk ================================================================ Fetched: 2026-07-02 09:20:33 UTC Canonical: https://phishdestroy.io/domain/aispa.uk/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Crypto Drainer Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: status_split) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 3/91 security vendors flagged this domain Flagging vendors: CRDF, Gridinsoft, SOCRadar Public blocklists: listed on 2 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 216.150.1.1 (US, Walnut) ASN: AS16509 Amazon.com, Inc. Hosting org: Vercel, Inc Registrar: Cloudflare, Inc. [Tag = CLOUDFLARE] Nameservers: annalise.ns.cloudflare.com, sri.ns.cloudflare.com Registered: 2026-04-14 Page title: AISPA — The AI Security Layer for the Next Era of Web3 HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R13 Expires: 2026-07-13 Status: INVALID chain Fingerprint: 60c0efbc6a9154717e659849aa7ad37cd12e21d7bb6ff13c76da7d2bc442b4a0 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-14 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-04 12:08:25 UTC (by PhishDestroy tracker) First reported: 2026-05-04 09:08:37 UTC (abuse notice filed) Last verified: 2026-07-02 11:15:22 UTC Neutralised: 2026-06-06 17:32:11 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019df23c-4f96-735a-9ca4-cba82e5824e2/ URLQuery: https://urlquery.net/report/0b950e9e-334d-4423-980b-7f759fc0a4d1 Wayback Machine: https://web.archive.org/web/*/aispa.uk crt.sh CT logs: https://crt.sh/?q=%25.aispa.uk Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=aispa.uk AlienVault OTX: https://otx.alienvault.com/indicator/domain/aispa.uk URLhaus: https://urlhaus.abuse.ch/host/aispa.uk/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-26 06:07:31 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, aispa.uk, is confirmed to host a Web3 crypto drainer phishing operation targeting users of decentralized applications and cryptocurrency wallets. The site presents itself as 'AISPA — The AI Security Layer for the Next Era of Web3,' a fabricated security service designed to deceive users into connecting their wallets via malicious smart contract interactions. Once connected, the embedded scripts execute unauthorized transactions, draining funds from the victim’s wallet without consent. The attack vector leverages social engineering tactics, exploiting trust in AI and Web3 security branding to facilitate financial theft. Analysis indicates the domain was registered on April 14, 2026, through Cloudflare, Inc., and resolves to the IP address 216.150.1.1. It is flagged by 3 out of 95 security vendors on VirusTotal, with detections including phishing and malicious content classifications. The domain appears on two independent security blocklists and is actively blocked by PhishDestroy and ScamSniffer. Infrastructure analysis reveals the use of Node.js, React, and Next.js frameworks, alongside Vercel hosting and a Let's Encrypt SSL certificate, which are commonly observed in both legitimate and malicious Web3 applications. The Gridinsoft trust score of 0/100 further corroborates the domain’s malicious intent. Users who visited aispa.uk or interacted with its content are advised to immediately revoke any connected wallet permissions via their wallet interface or a blockchain explorer. All connected devices should undergo a full antivirus scan to detect potential secondary infections. If cryptocurrency transactions were initiated, victims should report the incident to their wallet provider and relevant blockchain analytics platforms for transaction tracing. Additionally, monitor all linked accounts for unauthorized access or transactions, and consider migrating assets to a new wallet if compromise is confirmed. Future interactions with Web3 applications should be restricted to verified, audited platforms with established reputations. [Updates since narrative was generated:] - VirusTotal detections: now 3/91 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260504-AD5781 Favicon MD5: 1991ec88301ef8dd593796852cdcab09 TLS cert SHA-256: 60c0efbc6a9154717e659849aa7ad37cd12e21d7bb6ff13c76da7d2bc442b4a0 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/aispa.uk/ JSON API: https://api.destroy.tools/v1/check?domain=aispa.uk Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 173,583 domains (14,589 alive under monitoring, 158,288 confirmed takedowns/dead). Site: https://phishdestroy.io