# PhishDestroy threat dossier — backup.web3privatelock.com ================================================================ Fetched: 2026-07-13 04:18:48 UTC Canonical: https://phishdestroy.io/domain/backup.web3privatelock.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 97/100 (PhishDestroy scoring — see methodology below) Scam classification: Generic Phishing ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 13/91 security vendors flagged this domain Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.67.160.27 (US, San Francisco) ASN: ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US Hosting org: AS13335 Cloudflare, Inc. Registrar: Hosting Concepts B.V. d/b/a Registrar.eu Nameservers: chad.ns.cloudflare.com, connie.ns.cloudflare.com Registered: 2026-04-29 Expires: 2027-04-29 Page title: Web3 Private Lock - Connecting Decentralised Applications HTTP response: 502 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E7 Expires: 2026-07-29 Status: INVALID chain Fingerprint: 93a3ab69e3533f48133bea75aabc6d6fcd37cb96dd2a80d4358e8edb31234582 Subject Alternative Names (related infrastructure — often same operator): - web3privatelock.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-29 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-25 01:58:36 UTC (by PhishDestroy tracker) First reported: 2026-06-25 00:00:34 UTC (abuse notice filed) Last verified: 2026-07-13 04:20:41 UTC Neutralised: 2026-07-04 00:02:07 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019efc11-79a8-7441-b509-3cc9b4a96ce7/ URLQuery: https://urlquery.net/report/8647e845-089f-4781-b911-ade0fce754e0 Wayback Machine: https://web.archive.org/web/*/backup.web3privatelock.com crt.sh CT logs: https://crt.sh/?q=%25.backup.web3privatelock.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=backup.web3privatelock.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/backup.web3privatelock.com URLhaus: https://urlhaus.abuse.ch/host/backup.web3privatelock.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-25 02:00:06 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] backup.web3privatelock.com is observed hosting a generic phishing landing page designed to deceive cryptocurrency wallet users into exposing private keys or seed phrases. Analysis indicates this domain is currently active and has not been flagged by any detection vendors despite its recent domain age. The infrastructure is configured to mimic legitimate cryptocurrency services, likely aiming to harvest sensitive authentication credentials or digital asset recovery phrases. Analysis indicates the domain was registered on April 29, 2026, through Hosting Concepts B.V. d/b/a Registrar.eu, resolving to IPv4 address 104.21.14.175. VirusTotal scanning shows 0 detections out of 95 vendor engines as of the latest evaluation window. The infrastructure lacks historical reputation with no recorded associations in known threat intelligence feeds, suggesting either a newly deployed operation or deliberate avoidance of prior exposure. WHOIS data confirms the registrant’s privacy protections, obscuring attribution. Current operational status remains active with no evidence of takedown or remediation. Given the absence of vendor detection despite high-risk content, this domain poses an elevated threat to cryptocurrency users, particularly those interacting with web3 platforms or decentralized applications. Immediate network-level blocking of 104.21.14.175 and domain-level blocking of backup.web3privatelock.com is strongly recommended. Users should treat all unsolicited communications referencing web3 services with heightened scrutiny, verify endpoints via official channels, and avoid inputting sensitive credentials into untrusted interfaces. Continuous monitoring for related domains or IP shifts is advised to preempt further exploitation. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260625-08EED3 Favicon MD5: 1de3cc15d59f5613ed6d114727b94b3c TLS cert SHA-256: 93a3ab69e3533f48133bea75aabc6d6fcd37cb96dd2a80d4358e8edb31234582 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/backup.web3privatelock.com/ JSON API: https://api.destroy.tools/v1/check?domain=backup.web3privatelock.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,009 domains (49,743 alive under monitoring, 128,266 confirmed takedowns/dead). Site: https://phishdestroy.io