# PhishDestroy threat dossier — c-hangenow.com ================================================================ Fetched: 2026-05-03 12:05:53 UTC Canonical: https://phishdestroy.io/domain/c-hangenow.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 62/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 4/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, Gridinsoft, Kaspersky, Seclookup ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 176.125.242.151 (MD, Chisinau) ASN: AS200019 ALEXHOST SRL Hosting org: Alexhost SRL Registrar: Dynadot Inc Nameservers: ["ns1.dyna-ns.net", "ns2.dyna-ns.net"] Registered: 2026-04-26 Page title: ChangeNOW | Swap Crypto ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-06-24 Status: INVALID chain Fingerprint: 64ea8e94ee0d7963a3f08e74180f24a26b5d20336c636a87d9e098fbfe38f6a2 Subject Alternative Names (related infrastructure — often same operator): - www.c-hangenow.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-26 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-26 17:06:57 UTC (by PhishDestroy tracker) First reported: 2026-04-26 14:09:01 UTC (abuse notice filed) Last verified: 2026-04-30 19:40:22 UTC Neutralised: 2026-04-30 17:03:03 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dca1b-d098-7339-8b52-31e4845f97ff/ URLQuery: https://urlquery.net/report/1ba2b58f-5d71-4432-bb24-bfe670326653 Wayback Machine: https://web.archive.org/web/*/c-hangenow.com crt.sh CT logs: https://crt.sh/?q=%25.c-hangenow.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=c-hangenow.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/c-hangenow.com URLhaus: https://urlhaus.abuse.ch/host/c-hangenow.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-26 17:08:27 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies c-hangenow.com as an active crypto-phishing domain under investigation for impersonating ChangeNOW, a legitimate cryptocurrency swap platform. The site presents itself as a crypto exchange but is designed to deceive users into surrendering private keys or funds under the guise of ‘swap services.’ The risk level is currently marked as ‘under_investigation’ while intelligence is gathered, but the page remains live and accessible. Technical indicators show the domain was registered through Dynadot Inc on March 26, 2026, and resolves to IP address 176.125.242.151. SSL encryption is provided via a Let’s Encrypt certificate, which confirms HTTPS connectivity but does not validate legitimacy. VirusTotal currently reports 0/95 detections, indicating it has evaded traditional antivirus engines so far. While no takedown has occurred yet, the absence of detection does not equate to safety — the domain is still active and poses a credible threat to cryptocurrency users. This domain exhibits multiple red flags typical of phishing operations targeting crypto users. It mimics a well-known service (ChangeNOW) by mirroring the ‘Swap Crypto’ branding, a tactic used to exploit user trust. The recent domain creation date (only months old) is a common characteristic of disposable phishing infrastructure designed for short-term operations. The hosting IP, 176.125.242.151, is not associated with official ChangeNOW infrastructure, which typically operates under controlled, reputable hosting providers. Registrar Dynadot Inc is legitimate, but domain squatting and impersonation are frequent abuses within their platform. The SSL certificate from Let’s Encrypt is valid but does not authenticate the site’s identity — it only secures the connection between the user and the server, which an attacker can easily obtain. The 0/95 detection score on VirusTotal suggests evasion of signature-based scanners, a common behavior among newly deployed phishing sites waiting to be cataloged. No evidence yet exists of this domain appearing on major blocklists such as PhishTank, OpenPhish, or Google Safe Browsing, but this does not negate the threat — phishing sites often operate undetected until reports accumulate. Users are strongly advised to avoid visiting c-hangenow.com and to treat any communication referencing this domain with extreme caution. If a user has already visited the site, they should not enter wallet addresses, private keys, or seed phrases. Cryptocurrency transactions should only be conducted on verified, official platforms with verified SSL certificates and long-standing reputations. Users should report this domain to their security vendors, browser security teams, and platforms like PhishTank or Google Safe Browsing to accelerate takedown. It is also recommended to scan local devices for malware in case of credential theft attempts. Always verify URLs through official channels before interacting. Due to the active status and low detection rate, this domain remains a credible threat vector for crypto theft and should be treated as untrusted until conclusive evidence of legitimacy is provided. [Updates since narrative was generated:] - VirusTotal detections: now 4/91 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260426-CFFA7C Favicon MD5: abeaf830230a97ef3d9d9c9160cc5ce6 TLS cert SHA-256: 64ea8e94ee0d7963a3f08e74180f24a26b5d20336c636a87d9e098fbfe38f6a2 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/c-hangenow.com/ JSON API: https://api.destroy.tools/v1/check?domain=c-hangenow.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 144,982 domains (55,981 alive under monitoring, 88,740 confirmed takedowns/dead). Site: https://phishdestroy.io