# PhishDestroy threat dossier — budgetspikes.com ================================================================ Fetched: 2026-05-18 03:43:16 UTC Canonical: https://phishdestroy.io/domain/budgetspikes.com/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: MetaMask ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/92 security vendors flagged this domain Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 45.9.148.106 (NL, Amsterdam) ASN: AS49447 Nice IT Services Group Inc. Hosting org: Nice IT Services Group Inc. Registrar: eNom, LLC Nameservers: ["ns1.mysecurecloudhost.com", "ns2.mysecurecloudhost.com", "ns3.mysecurecloudhost.com"] Registered: 2026-05-16 Page title: MasterV — Real Estate Tools That Help Teams Move Faster HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R13 Expires: 2026-08-02 Status: INVALID chain Fingerprint: f0bfd7d822a28bbf7a54e6c43dad541d894f4552ccfcb935ef3faa6a891f8d58 Subject Alternative Names (related infrastructure — often same operator): - www.budgetspikes.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-16 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-16 21:12:04 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-05-16 18:13:08 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-05-18 05:40:34 UTC Current status: ACTIVE / observable Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e31fb-8a63-7278-99ce-cc1f05f6b8ad/ URLQuery: https://urlquery.net/report/6f7f2c4b-cf0d-482f-aa31-098d5e4f0d01 Wayback Machine: https://web.archive.org/web/*/budgetspikes.com crt.sh CT logs: https://crt.sh/?q=%25.budgetspikes.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=budgetspikes.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/budgetspikes.com URLhaus: https://urlhaus.abuse.ch/host/budgetspikes.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-16 21:12:31 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] budgetspikes.com is currently classified as a generic phishing domain with an under-investigation risk level, and PhishDestroy has identified it as a potential cryptocurrency drainer scam. The domain is active and poses a credible threat to users who engage with its content, particularly those involved in crypto transactions. budgetspikes.com was registered through ENOM, INC. on January 27, 2026, and resolves to the IP address 45.9.148.106. The domain utilizes a Let's Encrypt SSL certificate, which may falsely imply legitimacy to unsuspecting visitors. Despite having 0/95 detections on VirusTotal at the time of analysis, this domain has already been flagged by MetaMask and appears on at least one security blocklist, indicating early detection by some security systems. The domain's recent creation date suggests a hastily deployed operation, which is a common tactic among threat actors to avoid prolonged scrutiny. The specific threat posed by budgetspikes.com is consistent with cryptocurrency drainer scams, which typically aim to trick users into connecting their wallets or entering private keys to drain assets. Given its recent registration, the lack of detections on VirusTotal is not unusual, as threat intelligence feeds often lag behind emerging threats. The presence of a Let's Encrypt SSL certificate is a red flag, as scammers frequently exploit free SSL certificates to appear legitimate. Users should avoid interacting with this domain entirely, especially if it requests wallet connections or personal information. To mitigate risks associated with this domain, users should refrain from visiting budgetspikes.com or clicking any links associated with it. If you have already visited the site, avoid connecting your cryptocurrency wallet or entering any sensitive information. Use a reputable security tool like PhishDestroy to verify the domain's safety status. Additionally, monitor your wallet for any unauthorized transactions and revoke any suspicious smart contract approvals immediately. Always verify URLs manually and cross-check domains against trusted blocklists before engaging with crypto-related websites. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260516-771650 Favicon MD5: 2cc41790ef81b3ad77d17412bd7697b9 TLS cert SHA-256: f0bfd7d822a28bbf7a54e6c43dad541d894f4552ccfcb935ef3faa6a891f8d58 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/budgetspikes.com/ JSON API: https://api.destroy.tools/v1/check?domain=budgetspikes.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 150,739 domains (34,857 alive under monitoring, 115,574 confirmed takedowns/dead). Site: https://phishdestroy.io