# PhishDestroy threat dossier — ardenfinance.xyz
================================================================

Fetched:   2026-05-01 13:51:04 UTC
Canonical: https://phishdestroy.io/domain/ardenfinance.xyz/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 87/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Yearn

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      2/91 security vendors flagged this domain
  Flagging vendors: alphaMountain.ai, Forcepoint ThreatSeeker

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      160.119.248.230 (ZA, Durbanville)
ASN:             AS329184 Host Africa (Pty) Ltd
Hosting org:     Hostafrica
Registrar:       HOSTINGER operations, UAB
Nameservers:     dan1.host-ww.net, dan2.host-ww.net, dan3.host-ww.net, dan4.host-ww.net
Registered:      2025-10-18
Page title:      Arden Finance - Secure. Grow. Innovate.
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E7
Expires:    2026-06-12
Status:     INVALID chain
Fingerprint: 1402fb90ae9d0621e2f2eec03935091c678a31f2ae648495ef8b953f8188b2f8
Subject Alternative Names (related infrastructure — often same operator):
  - ftp.ardenfinance.xyz
  - mail.ardenfinance.xyz
  - pop.ardenfinance.xyz
  - smtp.ardenfinance.xyz
  - www.ardenfinance.xyz

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2025-10-18 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-29 22:35:12 UTC (by PhishDestroy tracker)
First reported:    2026-04-29 19:35:31 UTC (abuse notice filed)
Last verified:     2026-05-01 13:10:25 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019ddabb-bd40-77ab-9444-27e4b093670d/
URLQuery:         https://urlquery.net/report/b132a0bd-b47f-413c-9295-09577865f2fb
Wayback Machine:  https://web.archive.org/web/*/ardenfinance.xyz
crt.sh CT logs:   https://crt.sh/?q=%25.ardenfinance.xyz
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=ardenfinance.xyz
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/ardenfinance.xyz
URLhaus:          https://urlhaus.abuse.ch/host/ardenfinance.xyz/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-29 22:36:48 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies ardenfinance.xyz as a malicious domain engaging in brand impersonation targeting Yearn Finance. This domain is part of an ongoing campaign designed to deceive users into believing they are interacting with legitimate Yearn Finance services, likely to facilitate financial fraud or asset theft. The threat type is classified as brand impersonation, a tactic commonly employed by cybercriminals to exploit trust in established financial protocols. No specific drainer kit has been detailed in available intelligence, but the domain's behavior aligns with typical drainer schemes where users' funds are siphoned under false pretenses.  

This domain exhibits several concerning technical indicators. It was registered through HOSTINGER operations, UAB, and resolves to the IP address 160.119.248.230. The domain secured an SSL certificate from Let's Encrypt, which may lend it a veneer of legitimacy. VirusTotal analysis flagged this domain with a detection rate of 2/95 security vendors, indicating limited but present malicious recognition. The domain was created on October 18, 2025, making it a very recent addition to the threat landscape. As of the latest intelligence, its status is active, and it remains unblocked by Google Safe Browsing (GSB) and other major blocklists, increasing its potential reach and danger to unsuspecting users.  

The current status of ardenfinance.xyz is active, and it poses an elevated risk to users who may encounter it. Immediate action is recommended to block or flag this domain at the network level to prevent access. Users should also verify the authenticity of any Yearn Finance-related communications or websites by cross-referencing official sources, such as the verified domains listed on Yearn Finance's official website. The remaining risk is significant due to the domain's active status and the absence of widespread blocklist coverage. Users must exercise heightened caution and rely on secure, verified channels when engaging with financial protocols to mitigate the risk of falling victim to this impersonation scheme.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260429-E62EB1
Favicon MD5:       3c1378d54608925fe1dff523c02e4f7a
TLS cert SHA-256:      1402fb90ae9d0621e2f2eec03935091c678a31f2ae648495ef8b953f8188b2f8

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/ardenfinance.xyz/
JSON API:          https://api.destroy.tools/v1/check?domain=ardenfinance.xyz
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io