# PhishDestroy threat dossier — bafkreidgrzz5a5olpbqqm66sjo442pfrbkrq4obr54gf2zhh4rxh3bdq5u.ipfs.dweb.link ================================================================ Fetched: 2026-05-20 10:38:15 UTC Canonical: https://phishdestroy.io/domain/bafkreidgrzz5a5olpbqqm66sjo442pfrbkrq4obr54gf2zhh4rxh3bdq5u.ipfs.dweb.link/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: phishing_login Targeted brand: naver ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 14/92 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, CRDF, CyRadar, Ermes, Emsisoft, Fortinet, G-Data, Gridinsoft, LevelBlue, Netcraft, SafeToOpen, Sophos Public blocklists: listed on 1 independent blocklist Google Safe Browsing: FLAGGED ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 209.94.90.3 (US, San Francisco) ASN: AS40680 Protocol Labs Hosting org: Protocol Labs Registrar: CSC Corporate Domains, Inc. Nameservers: clarissa.ns.cloudflare.com, tate.ns.cloudflare.com Registered: 2026-05-11 Page title: Naver Sign in ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E8 Expires: 2026-06-23 Status: INVALID chain Fingerprint: e64bf46ff6fb738674ebc57eefbea1a255bf1294f88a254e67547fc25971cf0e Subject Alternative Names (related infrastructure — often same operator): - dweb.link ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-11 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-11 02:43:02 UTC (by PhishDestroy tracker) Last verified: 2026-05-19 01:40:06 UTC Neutralised: 2026-05-12 00:06:45 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e1443-f473-70c9-8bef-910b68af3569/ Wayback Machine: https://web.archive.org/web/*/bafkreidgrzz5a5olpbqqm66sjo442pfrbkrq4obr54gf2zhh4rxh3bdq5u.ipfs.dweb.link crt.sh CT logs: https://crt.sh/?q=%25.bafkreidgrzz5a5olpbqqm66sjo442pfrbkrq4obr54gf2zhh4rxh3bdq5u.ipfs.dweb.link Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=bafkreidgrzz5a5olpbqqm66sjo442pfrbkrq4obr54gf2zhh4rxh3bdq5u.ipfs.dweb.link AlienVault OTX: https://otx.alienvault.com/indicator/domain/bafkreidgrzz5a5olpbqqm66sjo442pfrbkrq4obr54gf2zhh4rxh3bdq5u.ipfs.dweb.link URLhaus: https://urlhaus.abuse.ch/host/bafkreidgrzz5a5olpbqqm66sjo442pfrbkrq4obr54gf2zhh4rxh3bdq5u.ipfs.dweb.link/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-11 02:43:35 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies bafkreidgrzz5a5olpbqqm66sjo442pfrbkrq4obr54gf2zhh4rxh3bdq5u.ipfs.dweb.link as an active crypto drainer infrastructure operating under the guise of IPFS-hosted content. The domain leverages social engineering tactics to trick users into connecting crypto wallets under the false pretense of accessing legitimate decentralized content. No specific brand is directly impersonated in this campaign; however, the use of IPFS hosting (a legitimate decentralized storage protocol) serves as a decoy to distribute malicious drainer scripts. The drainer kit is designed to execute unauthorized token transfers upon wallet connection, targeting users seeking to access files or media hosted on IPFS networks. This domain was flagged with a high-risk profile across multiple security platforms. VirusTotal analysis confirms detection by 14 out of 95 security vendors, indicating partial but not universal recognition of the threat. The domain is registered through CSC Corporate Domains, Inc., and resolves to IP address 209.94.90.3. Domain creation occurred on February 24, 2017, which may indicate reuse of an older, compromised domain for current malicious purposes. Google Safe Browsing classifies this domain under SOCIAL_ENGINEERING, and it is blocked by both OISD and one additional security blocklist, reflecting consistent malicious reputation. The combination of age, blocklist status, and partial detection coverage highlights a sophisticated and evasive threat actor. As of current monitoring, this domain remains actively engaged in malicious operations with high risk to end users. Immediate takedown or remediation efforts have not been confirmed at this time, leaving the infrastructure operational. Users are strongly advised to avoid any interaction with this domain, especially those involving wallet connections or file downloads. Existing detection signatures (14/95) suggest incomplete protection, warranting user vigilance and reliance on real-time threat intelligence. The combination of social engineering tactics, partial detection coverage, and active status elevates the risk profile, reinforcing the need for proactive security measures and user education. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: b707378e4db3fcca990f228c4d865f86 TLS cert SHA-256: e64bf46ff6fb738674ebc57eefbea1a255bf1294f88a254e67547fc25971cf0e ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/bafkreidgrzz5a5olpbqqm66sjo442pfrbkrq4obr54gf2zhh4rxh3bdq5u.ipfs.dweb.link/ JSON API: https://api.destroy.tools/v1/check?domain=bafkreidgrzz5a5olpbqqm66sjo442pfrbkrq4obr54gf2zhh4rxh3bdq5u.ipfs.dweb.link Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 151,957 domains (43,223 alive under monitoring, 108,423 confirmed takedowns/dead). Site: https://phishdestroy.io