# PhishDestroy threat dossier — americatoken.live
================================================================

Fetched:   2026-06-27 04:27:58 UTC
Canonical: https://phishdestroy.io/domain/americatoken.live/

## VERDICT
----------------------------------------------------------------
TAKEN DOWN (neutralised)
Composite threat score: 85/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: OKX

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      0/91 security vendors flagged this domain
Public blocklists: listed on 1 independent blocklist

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      165.99.164.20 (US, Ogden)
ASN:             ASAS213549 SATISFYHOST SATISFYHOST LTD, GB
Hosting org:     AS213549 SATISFYHOST LTD
Registrar:       Dynadot Inc
Nameservers:     dns1.harmonweb.net, dns2.harmonweb.net
Registered:      2026-06-07
Expires:         2027-06-07
Page title:      America250 ($AMERICA250) | Official Semiquincentennial Meme Coin on Solana | 1776–2026

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: CLOSED — no report required.
This domain was neutralised before the abuse-report cycle could be dispatched — either
the hosting provider / registrar suspended it on their own, the DNS went dead, or the
operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file
for audit but no formal notice was sent.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-06-07 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-06-24 19:26:27 UTC (by PhishDestroy tracker)
First reported:    2026-06-24 17:28:55 UTC (abuse notice filed)
Last verified:     2026-06-27 06:15:25 UTC
Neutralised:       2026-06-25 03:04:03 UTC
Current status:    taken down (registrar suspended or DNS dead)

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019efaaa-738e-778f-8271-784b4cf2233b/
URLQuery:         https://urlquery.net/report/d52b319b-4969-420b-b1a8-a8dbcc210fb1
Wayback Machine:  https://web.archive.org/web/*/americatoken.live
crt.sh CT logs:   https://crt.sh/?q=%25.americatoken.live
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=americatoken.live
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/americatoken.live
URLhaus:          https://urlhaus.abuse.ch/host/americatoken.live/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-06-25 19:09:09 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

This domain, americatoken.live, is identified as a cryptocurrency phishing site specifically targeting users of the OKX exchange platform. The site presents itself as an official distribution page for a purported "America250" meme coin on the Solana blockchain, using patriotic branding and a fabricated connection to the U.S. Semiquincentennial to lend credibility. Analysis indicates the infrastructure is designed to harvest cryptocurrency wallet credentials or distribute malicious smart contracts under the guise of a legitimate token offering. The page title, "America250 ($AMERICA250) | Official Semiquincentennial Meme Coin on Solana | 1776–2026," reinforces the deception by mimicking official commemorative projects while exploiting the trust associated with established exchange brands.

Infrastructure analysis reveals multiple technical indicators of malicious intent. The domain was registered on June 7, 2026, through Dynadot Inc, a registrar frequently observed in phishing operations. It resolves to the IP address 165.99.164.20 and is currently flagged by one security blocklist. VirusTotal reports 2 out of 95 security vendors have detected this domain as malicious, a low but notable detection rate that suggests either recent deployment or evasion techniques. The SSL certificate is issued by Let's Encrypt, a common choice for threat actors due to its free and automated issuance process. The domain has since been taken offline, though historical activity and residual risk remain for users who may have engaged with it prior to deactivation.

Users who visited americatoken.live or interacted with its content should take immediate corrective actions. Any cryptocurrency wallets connected to the site must be considered compromised and should be migrated to new, secure wallets immediately. All associated private keys or seed phrases should be revoked and replaced. Users are advised to audit their transaction history for unauthorized transfers, particularly those involving Solana or the $AMERICA250 token. If credentials were entered, they should be reset across all platforms where identical or similar passwords were used. Monitoring for phishing attempts via email or social media is recommended, as threat actors may attempt follow-up attacks using harvested contact information. No legitimate token or project is associated with this domain, and any claims of official partnerships with OKX or U.S. government entities are fraudulent.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260624-DEEE0E
Favicon MD5:       8791eb8bc29375007a9732c9584fb632

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/americatoken.live/
JSON API:          https://api.destroy.tools/v1/check?domain=americatoken.live
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 170,767 domains (12,434 alive under monitoring, 157,933 confirmed takedowns/dead). Site: https://phishdestroy.io