# amlbot.services — MALICIOUS

> amlbot.services is a high-risk phishing site impersonating AMLBot. The domain is offline but was flagged for brand impersonation. Avoid and report it.

## Summary
PhishDestroy identifies amlbot.services as a high-risk domain that impersonated the legitimate AMLBot brand. This site presented itself as a 'Free AML Crypto Check' platform, targeting users interested in cryptocurrency compliance. Although the domain is currently offline, its prior activity posed significant danger by misleading users into trusting a fake service. Such impersonation can lead to theft of sensitive financial data or cryptocurrency assets.

The phishing tactic used by amlbot.services involved mimicking AMLBot’s brand and offering free AML checks for popular cryptocurrencies like USDT, ETH, and BTC to lure users. By resolving to an IP address (104.21.112.1) and appearing on multiple security blocklists, the domain was flagged by 13 out of 95 VirusTotal security vendors. This indicates a recognized threat level from various cybersecurity sources. The attackers aimed to exploit users’ trust in AMLBot to steal credentials, install malware, or facilitate fraudulent transactions.

If users visited amlbot.services, PhishDestroy advises immediate actions including avoiding any further interaction with the site and not submitting personal or financial information. Users should scan their devices for malware, change passwords related to cryptocurrency accounts, and monitor accounts for suspicious activity. Reporting the domain to cybersecurity organizations and maintaining vigilance against similar brand impersonations is essential to stay safe in the evolving crypto threat landscape.

## Threat Details
- Verdict: MALICIOUS
- Site status: dead (HTTP 403)
- Scam type: AML Scam
- Target brand: AMLBot
- Page title: Free AML Crypto Check – USDT, TRC20, ETH, TON, BTC

## Domain Intelligence
- IP: 104.21.112.1
- IP Country: US
- IP City: San Francisco
- IP Org: AS13335 Cloudflare, Inc.
- Nameservers: Unknown
- SSL Issuer: none

## Detection Status
- VirusTotal: 13 vendors flagged
  Vendors: ["ADMINUSLabs", "alphaMountain.ai", "BitDefender", "CRDF", "CyRadar", "ESET", "Forcepoint ThreatSeeker", "Fortinet", "G-Data", "Kaspersky", "Lionic", "Sophos", "VIPRE"]
- Google Safe Browsing: clean
- Blocklists: 3 hits
  Lists: ["PhishDestroy", "MetaMask", "SEAL"]

## Evidence
- Screenshot: https://urlscan.io/screenshots/01984645-48d5-7335-a396-2f912f3b5327.png
- Cloudflare Radar: https://radar.cloudflare.com/scan/8c86bde5-80b6-4740-b1bf-cccbcb033406
- Wayback Machine: https://web.archive.org/web/https://amlbot.services
- PhishDestroy: https://phishdestroy.io/domain/amlbot.services/
- LLM endpoint: https://phishdestroy.io/domain/amlbot.services/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/amlbot.services/
Last updated: 2026-03-19