# PhishDestroy threat dossier — app-tokenpocketsite.com
================================================================

Fetched:   2026-04-24 15:13:47 UTC
Canonical: https://phishdestroy.io/domain/app-tokenpocketsite.com/

## VERDICT
----------------------------------------------------------------
ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: OKX
Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 1/6)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      2/94 security vendors flagged this domain
  Flagging vendors: alphaMountain.ai, SOCRadar

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      154.213.159.203 (HK, Hong Kong)
ASN:             AS132839 POWER LINE DATACENTER
Hosting org:     Digital Core Technology Co., Limited
Registrar:       Dominet (HK) Limited
Nameservers:     ["ns1.domainnamedns.com", "ns2.domainnamedns.com"]
Registered:      2026-04-15
Page title:      404 Not Found
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / R12
Expires:    2026-07-06
Status:     INVALID chain
Fingerprint: 23d4da85e086f72989858f843e30dcf48a1ea2e8b438f29ed14e4212dc3c0384
Subject Alternative Names (related infrastructure — often same operator):
  - m.app-tokenpocketsite.com
  - wap.app-tokenpocketsite.com
  - www.app-tokenpocketsite.com

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-15 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-15 08:24:50 UTC (by PhishDestroy tracker)
Last verified:     2026-04-23 20:20:44 UTC
Current status:    ACTIVE — cloaked behind HTTP 666 to evade scanners

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019d8f95-d097-722e-96e2-709196da616e/
Wayback Machine:  https://web.archive.org/web/*/app-tokenpocketsite.com
crt.sh CT logs:   https://crt.sh/?q=%25.app-tokenpocketsite.com
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=app-tokenpocketsite.com
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/app-tokenpocketsite.com
URLhaus:          https://urlhaus.abuse.ch/host/app-tokenpocketsite.com/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-15 08:27:29 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies app-tokenpocketsite.com as a high-risk brand impersonation domain targeting OKX cryptocurrency exchange users. This fraudulent site mimics OKX's branding to deceive visitors into revealing sensitive wallet credentials or financial data. The threat involves malicious actors exploiting OKX's reputation to trick users into downloading or connecting fraudulent wallet applications under the guise of 'token pockets' or similar services. Given the active status and impersonation tactics, this domain poses significant risks to cryptocurrency users who may inadvertently interact with it, leading to potential financial loss or account compromise.  This domain exhibits multiple red flags consistent with active phishing operations. VirusTotal analysis shows 0/95 detections, indicating it currently evades major antivirus and security vendor scanners. The domain resolves to IP address 154.213.159.203 and was registered through Dominet (HK) Limited on October 10, 2025—recently enough to suggest opportunistic registration following OKX's rise in prominence. The SSL certificate issued by Let's Encrypt provides a false sense of security but does not validate the site's authenticity. Additionally, the domain's naming convention ('tokenpocketsite') specifically targets users seeking wallet services, reinforcing its malicious intent. There are no current blocks on major DNS or browser blocklists, which may explain its ability to remain active.  Users should immediately avoid interacting with app-tokenpocketsite.com and verify any cryptocurrency-related domains through official OKX channels before taking any action. For affected users, revoke any connected wallet permissions to mitigated potential damage and report the domain to OKX's phishing reporting system and relevant cybersecurity authorities. Cryptocurrency exchanges should update their threat intelligence feeds to include this domain and consider takedown requests to hosting providers. Always cross-reference URLs against official sources using bookmarked links or verified search results, as brand impersonation domains often exploit typo variations or misleading subdomains to appear legitimate.

[Updates since narrative was generated:]
  - VirusTotal detections: now 2/94 (narrative was written when count was lower)

## EVIDENCE HASHES
----------------------------------------------------------------
Favicon MD5:       d78cffebcad54e1171ba4dc9b5fe24a6
TLS cert SHA-256:      23d4da85e086f72989858f843e30dcf48a1ea2e8b438f29ed14e4212dc3c0384

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/app-tokenpocketsite.com/
JSON API:          https://api.destroy.tools/v1/check?domain=app-tokenpocketsite.com
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io