# PhishDestroy threat dossier — bridge.hexoacoin.com ================================================================ Fetched: 2026-07-06 15:54:34 UTC Canonical: https://phishdestroy.io/domain/bridge.hexoacoin.com/ ## VERDICT ---------------------------------------------------------------- HIGH THREAT — malicious activity confirmed Composite threat score: 73/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 12/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, Chong Lua Dao, CyRadar, ESET, Fortinet, G-Data, Kaspersky, Lionic, Sophos, VIPRE Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 104.21.26.118 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: Squarespace Domains II LLC Nameservers: bowen.ns.cloudflare.com, lauryn.ns.cloudflare.com Registered: 2023-08-04 Expires: 2026-08-04 Page title: PulseChain Bridge HTTP response: 200 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2023-08-04 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-06 15:27:23 UTC (by PhishDestroy tracker) Last verified: 2026-07-06 16:25:16 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f379b-fc86-7793-a597-b9e911c43063/ Wayback Machine: https://web.archive.org/web/*/bridge.hexoacoin.com crt.sh CT logs: https://crt.sh/?q=%25.bridge.hexoacoin.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=bridge.hexoacoin.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/bridge.hexoacoin.com URLhaus: https://urlhaus.abuse.ch/host/bridge.hexoacoin.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-06 15:34:54 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, bridge.hexoacoin.com, is flagged as a high-risk generic phishing site targeting cryptocurrency users. Analysis indicates it impersonates the PulseChain Bridge interface, a cross-chain token transfer service, to deceive victims into approving malicious smart contract interactions. The page title explicitly reads 'PulseChain Bridge,' suggesting an intent to exploit trust in legitimate bridging infrastructure. No specific drainer kit signatures have been confirmed, but the domain exhibits behavioral patterns consistent with wallet-draining phishing campaigns, including simulated transaction approvals and credential harvesting prompts. Infrastructure analysis reveals the following technical indicators: the domain resolves to IP address 104.21.26.118 and was registered on August 04, 2023, through Squarespace Domains II LLC. The SSL certificate is issued by Let's Encrypt, providing a superficial layer of legitimacy. VirusTotal detection metrics show 12 out of 95 security vendors flagging the domain as malicious. No Google Safe Browsing (GSB) entries were identified at the time of analysis, though this may reflect a lag in propagation rather than absence of risk. Blocklist aggregators report active listings across multiple threat intelligence feeds, with at least three confirmed entries in cryptocurrency-specific blocklists. The domain remains active and continues to resolve, posing an ongoing threat to users attempting to interact with PulseChain or other cross-chain bridging services. Response actions should include immediate blacklisting in enterprise and consumer security tools, as well as dissemination of indicators of compromise (IOCs) to wallet providers and blockchain analytics platforms. Despite partial vendor coverage on VirusTotal, the remaining risk is elevated due to the domain's persistence, SSL encryption, and targeted impersonation of a high-value crypto service. Users are advised to verify bridging interfaces exclusively through official PulseChain documentation and to revoke any suspicious smart contract approvals linked to this domain. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 6212da9a131f07e30587624238492c2e ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/bridge.hexoacoin.com/ JSON API: https://api.destroy.tools/v1/check?domain=bridge.hexoacoin.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 175,439 domains (13,735 alive under monitoring, 160,779 confirmed takedowns/dead). Site: https://phishdestroy.io