# PhishDestroy threat dossier — app-trezor-download.com ================================================================ Fetched: 2026-05-01 02:35:13 UTC Canonical: https://phishdestroy.io/domain/app-trezor-download.com/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: Trezor ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 9/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, BitDefender, CRDF, CyRadar, Fortinet, G-Data, Gridinsoft, Kaspersky, Sophos URLQuery: 2 detections ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 35.241.96.249 (HK, Hong Kong) ASN: AS396982 Google LLC Hosting org: Google Cloud (asia-east2) Registrar: Dynadot Inc Nameservers: ["ns1.dyna-ns.net", "ns2.dyna-ns.net"] Registered: 2026-04-26 Page title: ledger硬件钱包官网 - 升级您的加密体验 | æ¯”ç‰¹å¸ä»¥å¤ªåŠå†·é’±åŒ HTTP response: 526 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: TrustAsia Technologies, Inc. / LiteSSL RSA CA 2025 Expires: 2026-06-21 Status: INVALID chain Fingerprint: d5fed63dd9e10123d5ad7caf9ab8f9486574c68ec662a238b24630468426cc3c Subject Alternative Names (related infrastructure — often same operator): - cn-ledger.com - www.cn-ledger.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-26 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-26 16:10:11 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-04-26 13:11:41 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-05-01 04:40:03 UTC Current status: ACTIVE / observable Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dc9e8-0537-76ef-8ccb-cce1087d796b/ URLQuery: https://urlquery.net/report/ea5b1f25-cd84-4b42-a2ba-4bcbde7388eb Wayback Machine: https://web.archive.org/web/*/app-trezor-download.com crt.sh CT logs: https://crt.sh/?q=%25.app-trezor-download.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=app-trezor-download.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/app-trezor-download.com URLhaus: https://urlhaus.abuse.ch/host/app-trezor-download.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-26 16:10:51 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies app-trezor-download.com as an active brand impersonation phishing domain targeting Trezor, a leading cryptocurrency hardware wallet brand. This domain is currently under investigation for malicious intent, with evidence strongly suggesting it is designed to deceive users into downloading counterfeit or malicious software disguised as official Trezor applications. The threat is classified as brand impersonation phishing due to the domain's deliberate use of the Trezor brand name and the inclusion of 'trezor' in its name to mislead users seeking legitimate software downloads. This domain was flagged by 0 of 95 VirusTotal vendors, indicating it has not yet been widely detected by security tools despite its clear deceptive intent. It is registered through DYNADOT LLC and resolves to the IP address 35.241.96.249, which hosts multiple suspicious domains. The domain was created on April 24, 2026, and currently has no known entries in public blocklists. Its SSL certificate is issued by TrustAsia Technologies, Inc., which does not mitigate the risk of phishing but may lend a false sense of security to potential victims. The lack of detections and recent creation date suggest this domain is either newly deployed or operating under the radar to evade immediate detection. The current status of this domain is active, with no signs of takedown or remediation at this time. Given the high-risk nature of brand impersonation phishing—particularly in the cryptocurrency space, where users are often targeted for financial theft—immediate action is recommended. Users should avoid accessing this domain and verify any software downloads directly from Trezor's official website at trezor.io. Organizations and security teams are advised to block this domain at the network level and monitor for any related infrastructure or domain variations. Additionally, users who may have interacted with this domain should scan their devices for malware and consider revoking any compromised credentials. [Updates since narrative was generated:] - VirusTotal detections: now 9/91 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260426-899E5C Favicon MD5: 3c1378d54608925fe1dff523c02e4f7a TLS cert SHA-256: d5fed63dd9e10123d5ad7caf9ab8f9486574c68ec662a238b24630468426cc3c ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/app-trezor-download.com/ JSON API: https://api.destroy.tools/v1/check?domain=app-trezor-download.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io