# PhishDestroy threat dossier — camonsolana.com
================================================================

Fetched:   2026-04-30 07:52:15 UTC
Canonical: https://phishdestroy.io/domain/camonsolana.com/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Crypto Drainer
Targeted brand: Solana
Wallet drainer: Solana Drainer

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      3/91 security vendors flagged this domain
  Flagging vendors: alphaMountain.ai, Gridinsoft, URLQuery
URLQuery:        4 detections

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      188.114.96.3 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     CloudFlare, Inc.
Registrar:       PDR Ltd. d/b/a PublicDomainRegistry.com
Nameservers:     ["chan.ns.cloudflare.com", "matias.ns.cloudflare.com"]
Registered:      2026-04-26
Page title:      Fee Distribution Portal
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WE1
Expires:    2026-07-20
Status:     INVALID chain
Fingerprint: 9c053ef6585792847c77a402e1f33feb4f1df81209d1b0b9c2a72d82cb9c01c4

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-26 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-26 17:05:36 UTC (by PhishDestroy tracker)
First reported:    2026-04-26 14:08:18 UTC (abuse notice filed)
Last verified:     2026-04-30 09:39:08 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019dca1b-1406-71fe-b779-82fbb225f86b/
URLQuery:         https://urlquery.net/report/f383ada0-81fa-41af-9d0a-99a076ab0a08
Wayback Machine:  https://web.archive.org/web/*/camonsolana.com
crt.sh CT logs:   https://crt.sh/?q=%25.camonsolana.com
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=camonsolana.com
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/camonsolana.com
URLhaus:          https://urlhaus.abuse.ch/host/camonsolana.com/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-26 17:06:38 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

Domain camonsolana.com is hosting an active Solana Drainer campaign. The page title 'Fee Distribution Portal' indicates an attempt to impersonate legitimate Solana fee distribution services. The drainer kit in use is identified as the Solana Drainer, a toolkit designed to steal cryptocurrency assets from unwitting users by tricking them into connecting their wallets to fraudulent smart contracts. This domain does not represent any official Solana entity and should be treated as malicious infrastructure.

Technical indicators for this domain are as follows: it resolves to IP 188.114.96.3, was registered through PDR Ltd. d/b/a PublicDomainRegistry.com, and was created on April 21, 2026. The domain holds a valid SSL certificate issued by Google Trust Services, which does not guarantee legitimacy. VirusTotal currently records 0 detections out of 95 scanners, indicating the domain is not yet widely flagged by security vendors. As of this analysis, no entries in the Google Safe Browsing database have been identified for this domain.

This domain remains active and poses a critical risk to cryptocurrency users. Immediate actions include blocking the domain and IP at the network level, warning cryptocurrency communities via official channels, and reporting the domain to security vendors for takedown. Users are advised to verify any fee distribution portals by cross-referencing URLs with official Solana documentation and to use tools like PhishDestroy for real-time validation. Remaining risk is high due to the active status, low detection rate, and use of HTTPS to establish trust.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260426-A897E2
Favicon MD5:       6b0c3a937095705c09335887d2269e9d
TLS cert SHA-256:      9c053ef6585792847c77a402e1f33feb4f1df81209d1b0b9c2a72d82cb9c01c4

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/camonsolana.com/
JSON API:          https://api.destroy.tools/v1/check?domain=camonsolana.com
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io