# PhishDestroy threat dossier — aurexglobal.io ================================================================ Fetched: 2026-05-11 14:29:45 UTC Canonical: https://phishdestroy.io/domain/aurexglobal.io/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: MetaMask ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/91 security vendors flagged this domain Public blocklists: listed on 2 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 84.32.41.157 (GB, London) ASN: AS201579 HOSTGNOME LTD Hosting org: Hostgnome LTD Ipxo Registrar: NameSilo, LLC !!! REGISTRAR INTEGRITY ALERT — NameSilo !!! NameSilo is a registrar documented by PhishDestroy as (1) publicly lying about received abuse reports, (2) shielding a $20M+ Monero-theft operation (xmrwallet.com) for 10 continuous years, and (3) retaliating against PhishDestroy by getting our X/Twitter account @Phish_Destroy banned after we published the evidence. Researchers/victims must ALWAYS CC compliance@icann.org on every abuse ticket — NameSilo has a track record of later claiming reports were never received. Primary sources: https://phishdestroy.io/namesilo-killed-our-twitter https://phishdestroy.io/xmrwallet-namesilo-exposed Nameservers: roan.ns.cloudflare.com, ursula.ns.cloudflare.com Registered: 2026-04-30 Page title: AURELIUM NETWORK HTTP response: 526 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: areume.dev Expires: 2026-11-21 Status: INVALID chain Fingerprint: 02c80a0cc435b429483a99c35611d3575fe457654adf6ede996830096f392926 Subject Alternative Names (related infrastructure — often same operator): - areume.dev - www.areume.dev ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-30 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-30 13:32:35 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-04-30 10:33:31 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-05-11 16:57:31 UTC Current status: ACTIVE / observable Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dddf0-c5ff-742d-9b02-2ba2a5c80248/ URLQuery: https://urlquery.net/report/890f172d-3b1a-4d6f-adfd-b1c05c0fdbcc Wayback Machine: https://web.archive.org/web/*/aurexglobal.io crt.sh CT logs: https://crt.sh/?q=%25.aurexglobal.io Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=aurexglobal.io AlienVault OTX: https://otx.alienvault.com/indicator/domain/aurexglobal.io URLhaus: https://urlhaus.abuse.ch/host/aurexglobal.io/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-30 13:34:59 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies aurexglobal.io as an active cryptocurrency impersonation phishing site seeded 7e7df9 under ongoing investigation. The domain masquerades as a legitimate trading platform to harvest MetaMask seed phrases and private keys, presenting a high risk to digital-asset users. This campaign specifically targets individuals familiar with the Aurex brand, leveraging look-alike branding to bypass initial suspicion and trick visitors into connecting compromised wallets. Security advisories from MetaMask and SEAL confirm live blocking, indicating confirmed malicious intent rather than speculative risk. This domain was flagged with 0 detections out of 95 engines on VirusTotal, registered through NameSilo, LLC on November 21, 2025, resolves to IP 84.32.41.157, and already appears on two public blocklists. The SSL certificate issued to areume.dev reveals the use of mismatched or deceptive TLS identities, a common tactic to increase victim trust before credential harvesting. Its recent creation date and low detection rate suggest early-stage deployment, increasing the likelihood of additional victims before broader detection coverage is achieved. These technical indicators—zero detections, active blocking by wallet providers, and cross-blocklist presence—collectively elevate the risk profile beyond typical phishing campaigns. To mitigate exposure, users must avoid interacting with aurexglobal.io or any subpages. Never enter wallet passwords, seed phrases, or private keys on any site claiming affiliation with AurexGlobal. If you’ve already connected a wallet, revoke unauthorized permissions immediately via tools like Etherscan or MetaMask’s security settings. Report the domain to your browser’s safe-browsing program and share indicators with threat-intel platforms to accelerate takedown. Maintain updated blocklists and use hardware wallets for critical transactions to reduce reliance on software-based key storage. Always verify URLs through official channels before any financial interaction. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260430-5E0720 Favicon MD5: f11422959fa319e9c92ced4099e23154 TLS cert SHA-256: 02c80a0cc435b429483a99c35611d3575fe457654adf6ede996830096f392926 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/aurexglobal.io/ JSON API: https://api.destroy.tools/v1/check?domain=aurexglobal.io Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 148,214 domains (45,055 alive under monitoring, 102,878 confirmed takedowns/dead). Site: https://phishdestroy.io