# PhishDestroy threat dossier — alternatives-broker.com ================================================================ Fetched: 2026-07-02 09:01:10 UTC Canonical: https://phishdestroy.io/domain/alternatives-broker.com/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 83/100 (PhishDestroy scoring — see methodology below) Targeted brand: OKX Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/91 security vendors flagged this domain Flagging vendors: Gridinsoft Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.97.3 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: CloudFlare, Inc. Registrar: Cloudflare, Inc. Nameservers: ["alex.ns.cloudflare.com", "holly.ns.cloudflare.com"] Registered: 2026-04-02 Expires: 2027-04-02 HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YE2 Expires: 2026-08-29 Status: INVALID chain Fingerprint: 5f1391abcf1ab8f47e5f1750e4f0757bdff62d959d695589cd06c1c47b801883 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-02 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-26 05:30:10 UTC (by PhishDestroy tracker) First reported: 2026-06-15 06:41:10 UTC (abuse notice filed) Last verified: 2026-07-02 08:20:36 UTC Neutralised: 2026-06-08 01:37:50 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-25 18:29:58 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain is flagged as a high-risk brand impersonation threat targeting OKX, a major cryptocurrency exchange platform. Analysis indicates the site is designed to deceive users into disclosing login credentials, private keys, or authorizing fraudulent transactions under the guise of legitimate OKX services. The threat type is classified as credential harvesting with potential financial fraud, leveraging social engineering tactics to exploit trust in the targeted brand. Infrastructure analysis reveals the domain alternatives-broker.com was registered on April 02, 2026, through Cloudflare, Inc., and currently resolves to the IP address 188.114.97.3. It holds a Let's Encrypt SSL certificate (YE2), which may lend a false sense of legitimacy to unsuspecting users. The domain appears on one security blocklist and is detected by 1 out of 95 security vendors on VirusTotal, specifically flagged by PhishDestroy. Despite minimal detection at present, the domain remains active and poses an ongoing risk to users unfamiliar with the legitimate OKX infrastructure. Mitigation steps for this threat include immediate blacklisting of the domain and its associated IP address (188.114.97.3) across all network security controls. Organizations should deploy indicators of compromise (IOCs) to endpoint detection systems and web filtering solutions to prevent access. Users should be educated on verifying domain authenticity, particularly for cryptocurrency-related services, and instructed to cross-reference URLs with official sources. Monitoring for similar domains registered through Cloudflare with recent creation dates may help identify additional impersonation attempts. Incident responders should treat any interaction with this domain as a potential compromise and initiate credential reset protocols for affected accounts. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: b5d38c72ac0985bffa09addb13e3692d TLS cert SHA-256: 5f1391abcf1ab8f47e5f1750e4f0757bdff62d959d695589cd06c1c47b801883 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/alternatives-broker.com/ JSON API: https://api.destroy.tools/v1/check?domain=alternatives-broker.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 173,583 domains (14,589 alive under monitoring, 158,288 confirmed takedowns/dead). Site: https://phishdestroy.io