# PhishDestroy threat dossier — bfxtc.com ================================================================ Fetched: 2026-05-01 16:32:00 UTC Canonical: https://phishdestroy.io/domain/bfxtc.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 75/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 2/91 security vendors flagged this domain Flagging vendors: Fortinet, Netcraft ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 185.46.42.16 (TR, Istanbul) ASN: AS211401 Atak Domain Bilgi Teknolojileri A.S. Hosting org: Infrastructure Registrar: NameCheap, Inc. Nameservers: ["eu.atakdomain.com", "tr.atakdomain.com"] Registered: 2026-04-27 Page title: BFXTC HTTP response: 526 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-02-26 Status: INVALID chain Fingerprint: d456850a6c2b59562a3df28a58c3e096ad38b7ca5b7dde0c2b4a9bb299b31cc2 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-27 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-27 20:12:15 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-04-27 17:13:45 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-05-01 18:00:46 UTC Neutralised: 2026-04-29 09:27:45 UTC Current status: taken down (registrar suspended or DNS dead) Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dcfeb-985a-7269-974a-182a74f63a90/ URLQuery: https://urlquery.net/report/ee62f540-ebd0-4cce-95bd-db1359f84666 Wayback Machine: https://web.archive.org/web/*/bfxtc.com crt.sh CT logs: https://crt.sh/?q=%25.bfxtc.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=bfxtc.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/bfxtc.com URLhaus: https://urlhaus.abuse.ch/host/bfxtc.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-27 20:13:37 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies bfxtc.com as an active cryptocurrency exchange phishing domain hosting a fake trading platform designed to steal digital assets. This is not a generic phishing lure but a targeted fake exchange scam currently under active investigation by security researchers. The domain leverages urgency and fake trading interfaces to trick users into depositing cryptocurrency into wallets controlled by threat actors. Given the rapid proliferation of crypto phishing in 2025, this domain represents a credible and evolving threat to retail and institutional investors alike. This domain was flagged and is currently under investigation with a risk level marked as active. It resolves to IP address 185.46.42.16 and holds a valid SSL certificate issued by Let’s Encrypt, which may lend false legitimacy to the site. VirusTotal currently shows 0 detections out of 95 scanning engines—indicating that mainstream antivirus and browser-based detection systems have not yet flagged this domain. The domain was registered through Namecheap Inc. on May 14, 2025, suggesting a very recent establishment likely intended to capitalize on current market hype. Despite the lack of blocklist presence at this time, the absence of detections and fresh registration date are strong indicators of a rapidly emerging threat that has yet to be widely recognized. To mitigate exposure to this fake exchange phishing scam, users should avoid visiting bfxtc.com entirely. Never click links from unsolicited emails, social media ads, or Telegram/Discord crypto groups promoting “new exchanges.” Always verify the authenticity of any trading platform by checking official sources, using bookmarked links, and confirming domain registration details independently. Enable multi-factor authentication on existing exchange accounts and use hardware wallets for storage. If you have already interacted with this site—especially if you entered credentials or deposited funds—disconnect your device from the internet, revoke any API keys, and report the incident to your bank or wallet provider immediately. Monitor your accounts for unauthorized transactions and consider a full system scan using up-to-date antivirus software. Security through skepticism and verification remains the best defense against evolving fake exchange phishing campaigns. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260427-11D5E7 Favicon MD5: abb19fd5d40d11fcaf0cefca7faccc35 TLS cert SHA-256: d456850a6c2b59562a3df28a58c3e096ad38b7ca5b7dde0c2b4a9bb299b31cc2 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/bfxtc.com/ JSON API: https://api.destroy.tools/v1/check?domain=bfxtc.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io