# PhishDestroy threat dossier โ€” blog-uphold.created.app ================================================================ Fetched: 2026-05-31 07:24:03 UTC Canonical: https://phishdestroy.io/domain/blog-uphold.created.app/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED โ€” returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring โ€” see methodology below) Scam classification: Credential Phishing Cloaking: DETECTED โ€” domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_split) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 13/95 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, ESET, Forcepoint ThreatSeeker, Fortinet, G-Data, Google Safebrowsing, Kaspersky, LevelBlue, Lionic, SOCRadar, Sophos, Webroot Public blocklists: listed on 3 independent blocklists Google Safe Browsing: FLAGGED ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 216.150.1.193 (US, Walnut) ASN: AS16509 Amazon.com, Inc. Hosting org: Vercel, Inc Registrar: Tucows Domains Inc Nameservers: ["ns1.vercel-dns.com", "ns2.vercel-dns.com"] Registered: 2026-05-21 Page title: Secure Uphold Login ๐Ÿ” | Access Your Digital Wallet Safely HTTP response: 404 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R13 Expires: 2026-07-29 Status: INVALID chain Fingerprint: 927656e07b11c1b9142869c6a6c1996526993b64fd76d6b8ad10c405cebaa0f8 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet โ€” this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-21 (per WHOIS / CT โ€” may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-21 08:25:28 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-05-21 05:34:21 UTC โ€” PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-05-31 10:15:31 UTC Neutralised: 2026-05-23 16:27:09 UTC Current status: ACTIVE โ€” cloaked behind HTTP 666 to evade scanners Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e48fd-55ec-71be-a18b-10525eba2fa5/ URLQuery: https://urlquery.net/report/b4489b7b-43b8-463e-8540-9b198d2a6c95 Wayback Machine: https://web.archive.org/web/*/blog-uphold.created.app crt.sh CT logs: https://crt.sh/?q=%25.blog-uphold.created.app Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=blog-uphold.created.app AlienVault OTX: https://otx.alienvault.com/indicator/domain/blog-uphold.created.app URLhaus: https://urlhaus.abuse.ch/host/blog-uphold.created.app/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-21 08:26:45 UTC โ€” narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] Security analysts from PhishDestroy have identified blog-uphold.created.app as an active credential theft domain impersonating the Uphold cryptocurrency platform. The site is currently under investigation for involvement in phishing campaigns aimed at harvesting login credentials and draining crypto holdings. As of this advisory, the domain remains operational with no detections recorded across VirusTotalโ€™s vendor stack. This domain was flagged by 0 of 95 VirusTotal vendors and resolves to IP address 216.150.1.193. The Letโ€™s Encrypt SSL certificate layered on this infrastructure raises the risk profile by lending superficial legitimacy. Historical WHOIS records for blog-uphold.created.app indicate a recent creation date and low trust scores across multiple threat intelligence platforms, suggesting opportunistic deployment rather than established malicious infrastructure. Aggregated blocklist data currently shows zero prior reports, though this is expected to change rapidly as awareness spreads. Given the zero-day status and confirmed operational state, immediate action is recommended. Organizations and individual users are advised to block blog-uphold.created.app at the DNS and network perimeter. Exercise heightened scrutiny for Uphold login prompts via email or web links. If credential exposure is suspected, rotate passwords immediately and revoke any active API keys or session tokens. Monitor associated IP ranges and SSL certificates for related artifacts to prevent lateral compromise. [Updates since narrative was generated:] - VirusTotal detections: now 13/95 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260521-6D7ABA Favicon MD5: 2cc41790ef81b3ad77d17412bd7697b9 TLS cert SHA-256: 927656e07b11c1b9142869c6a6c1996526993b64fd76d6b8ad10c405cebaa0f8 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe โ€” new scam domains routinely show 0/95 VT for their first 7โ€“30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/blog-uphold.created.app/ JSON API: https://api.destroy.tools/v1/check?domain=blog-uphold.created.app Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 156,170 domains (38,595 alive under monitoring, 117,071 confirmed takedowns/dead). Site: https://phishdestroy.io