# PhishDestroy threat dossier — aml-trust.net ================================================================ Fetched: 2026-07-01 22:49:30 UTC Canonical: https://phishdestroy.io/domain/aml-trust.net/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 94/100 (PhishDestroy scoring — see methodology below) Scam classification: AML Scam ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 3/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, Fortinet, LevelBlue Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 185.38.148.238 (GB, London) ASN: AS25369 Hydra Communications Ltd Hosting org: AS25369 Hydra Communications Ltd Registrar: TUCOWS.COM, CO. Nameservers: 1-you.njalla.no, 2-can.njalla.in, 3-get.njalla.fo Registered: 2026-05-04 Expires: 2027-05-04 Page title: AML Pro — Crypto Compliance Verification HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-08-19 Status: INVALID chain Fingerprint: 2d6baf0bfa4ce95b6203ff1a83a68e5add1d56b5f0740e407ca4132b62b83a28 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-04 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-28 23:37:49 UTC (by PhishDestroy tracker) First reported: 2026-06-28 21:40:43 UTC (abuse notice filed) Last verified: 2026-07-02 00:20:34 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f102a-1650-77db-974a-8941d8874fe8/ URLQuery: https://urlquery.net/report/5f92d81a-4c15-42d4-b82b-cad6a709a857 Wayback Machine: https://web.archive.org/web/*/aml-trust.net crt.sh CT logs: https://crt.sh/?q=%25.aml-trust.net Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=aml-trust.net AlienVault OTX: https://otx.alienvault.com/indicator/domain/aml-trust.net URLhaus: https://urlhaus.abuse.ch/host/aml-trust.net/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-28 23:44:34 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The domain aml-trust.net is currently identified as a high-risk source of generic phishing activity, specifically targeting user credentials. As of the latest analysis, this domain remains active and operational. There is no evidence of a specific brand impersonation, but the threat type indicates a broad phishing campaign designed to deceive users and harvest sensitive information. Technical examination reveals aml-trust.net was registered on May 04, 2026, through TUCOWS.COM, CO. The domain utilizes a Let's Encrypt SSL certificate, which may foster a false sense of legitimacy among potential victims. Hosting resolves to IP address 185.38.148.238. On VirusTotal, 3 out of 95 security vendors have flagged this domain as malicious. The relatively low blocklist count, compared to the high risk assessment, may indicate that the campaign is newly launched or evolving, making timely detection and response critical. The domain remains active at this time, posing an ongoing risk to users. Organizations and individuals are advised to implement proactive blocking of aml-trust.net at the network level, monitor for related indicators of compromise, and educate users about the threat. Security teams should update detection mechanisms with this domain and associated infrastructure to reduce exposure to credential theft and subsequent exploitation. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260628-BAE53E Favicon MD5: b8a0bf372c762e966cc99ede8682bc71 TLS cert SHA-256: 2d6baf0bfa4ce95b6203ff1a83a68e5add1d56b5f0740e407ca4132b62b83a28 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/aml-trust.net/ JSON API: https://api.destroy.tools/v1/check?domain=aml-trust.net Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 173,583 domains (13,714 alive under monitoring, 159,163 confirmed takedowns/dead). Site: https://phishdestroy.io