# PhishDestroy threat dossier — blockblastmodapk.com
================================================================

Fetched:   2026-05-02 05:01:30 UTC
Canonical: https://phishdestroy.io/domain/blockblastmodapk.com/

## VERDICT
----------------------------------------------------------------
HIGH THREAT — malicious activity confirmed
Composite threat score: 65/100 (PhishDestroy scoring — see methodology below)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      0/91 security vendors flagged this domain

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      188.114.96.3 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     CloudFlare, Inc.
Registrar:       NameCheap, Inc.
Nameservers:     ["emma.ns.cloudflare.com", "rob.ns.cloudflare.com"]
Registered:      2026-04-30
Page title:      BUZZ
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WE1
Expires:    2026-06-17
Status:     INVALID chain
Fingerprint: 4090aef7f80a6509a57a7fbd78c2fa0c17104937659f74e0a5e096314ca3e6eb

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-30 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-30 17:43:06 UTC (by PhishDestroy tracker)
Earliest abuse rec: 2026-04-30 14:45:53 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name
Last verified:     2026-05-01 19:40:17 UTC
Current status:    ACTIVE / observable

Note: one or more events above predate the WHOIS creation date. This typically means
the same domain name was previously registered, detected, dropped, and then re-registered
by a new party. PhishDestroy preserves the full historical record for operator-attribution
research even when the underlying infrastructure changes hands.

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019dded5-e856-70ec-8d2e-11b1a3c13840/
URLQuery:         https://urlquery.net/report/3a560e15-c050-4a10-bd58-e00b480c4bb6
Wayback Machine:  https://web.archive.org/web/*/blockblastmodapk.com
crt.sh CT logs:   https://crt.sh/?q=%25.blockblastmodapk.com
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=blockblastmodapk.com
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/blockblastmodapk.com
URLhaus:          https://urlhaus.abuse.ch/host/blockblastmodapk.com/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-30 17:44:48 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies blockblastmodapk.com as a high-risk fake Mod APK phishing domain currently under investigation for distributing malicious APK files under the guise of popular game modifications. The threat posed is direct user compromise through trojanized or spyware-laced APK files that may exfiltrate personal data, install backdoors, or encrypt files for ransom. Users who download and install these fake mods risk severe system compromise, financial loss, and identity theft.  

This domain was flagged with an active threat status and generic phishing classification by PhishDestroy’s monitoring systems. Technical indicators include a VirusTotal detection score of 0/95 (not yet flagged by security engines), registration through NAMECHEAP INC, an SSL certificate issued by Google Trust Services, resolution to IP address 188.114.96.3, and a creation date of November 07, 2024. The domain has not yet appeared on public blocklists or threat intelligence feeds, indicating it is a newly active campaign with low signature detection. The combination of a recently registered domain, low detection rate, and focus on popular game mod distributions suggests an opportunistic, high-yield phishing vector targeting gamers seeking free or modified game content.  

To mitigate risk, users must refrain from downloading APK files from unofficial or unverified sources, especially those hosted on domains like blockblastmodapk.com. Only download APK files from official app stores or the developer’s official website. Ensure devices have real-time antivirus and anti-malware protection enabled, and consider using mobile security solutions that scan downloaded files before installation. If an APK was installed from this domain, immediately uninstall the app, run a full system scan, change passwords for sensitive accounts, and monitor financial transactions for unauthorized activity. Report the domain to your antivirus provider and relevant cybersecurity authorities to help block future access.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260430-94DFB9
Favicon MD5:       6f22cd2c35266314fcc5f9849325df6e
TLS cert SHA-256:      4090aef7f80a6509a57a7fbd78c2fa0c17104937659f74e0a5e096314ca3e6eb

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/blockblastmodapk.com/
JSON API:          https://api.destroy.tools/v1/check?domain=blockblastmodapk.com
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io