# PhishDestroy threat dossier — cexcmss.vip
================================================================

Fetched:   2026-04-19 12:19:58 UTC
Canonical: https://phishdestroy.io/domain/cexcmss.vip/

## VERDICT
----------------------------------------------------------------
HIGH THREAT — malicious activity confirmed
Composite threat score: 75/100 (PhishDestroy scoring — see methodology below)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      2/94 security vendors flagged this domain
  Flagging vendors: alphaMountain.ai, Chong Lua Dao

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      172.67.198.129
Registrar:       Dynadot Inc
Nameservers:     ["alaric.ns.cloudflare.com", "brynne.ns.cloudflare.com"]
Registered:      2026-04-16
Page title:      FinData Pro - Analytics Dashboard
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E8
Expires:    2026-07-15
Status:     INVALID chain
Fingerprint: 312a0f80aa6fc84310acf1a864baa3a6bb24286f6556b25a9653574959bbe8e5

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-16 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-16 18:46:41 UTC (by PhishDestroy tracker)
Earliest abuse rec: 2026-04-16 15:47:42 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name
Last verified:     2026-04-19 14:46:18 UTC
Current status:    ACTIVE / observable

Note: one or more events above predate the WHOIS creation date. This typically means
the same domain name was previously registered, detected, dropped, and then re-registered
by a new party. PhishDestroy preserves the full historical record for operator-attribution
research even when the underlying infrastructure changes hands.

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019d96f8-7f43-72b6-a785-ac76978a80c6/
URLQuery:         https://urlquery.net/report/b5095494-df01-4a2a-baa4-5114aebdec44
Wayback Machine:  https://web.archive.org/web/*/cexcmss.vip
crt.sh CT logs:   https://crt.sh/?q=%25.cexcmss.vip
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=cexcmss.vip
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/cexcmss.vip
URLhaus:          https://urlhaus.abuse.ch/host/cexcmss.vip/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-16 18:46:59 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

This domain, cexcmss.vip, has been identified as a crypto drainer impersonating the legitimate CEX.IO exchange. The site is designed to trick users into connecting their cryptocurrency wallets under the false pretense of offering exclusive services or promotions. Once a wallet is connected, the drainer can silently transfer funds to attacker-controlled addresses, often without the user’s immediate awareness. The threat is classified as active and is currently under investigation by cybersecurity researchers.  PhishDestroy identifies this domain as a high-risk threat due to multiple red flags in its infrastructure. The domain was created on April 16, 2026, which is alarmingly recent, suggesting it was registered solely for malicious purposes. VirusTotal currently shows 0 out of 95 security engines detecting the domain, meaning most antivirus tools have not yet flagged it. The site uses a Let’s Encrypt SSL certificate to appear legitimate, but this does not guarantee safety. The domain is registered through Dynadot LLC and resolves to the IP address 172.67.198.129, which has been linked to other known malicious activities.  If you have visited cexcmss.vip, disconnect your wallet immediately and revoke any permissions granted to the site through your wallet’s connected app settings. Do not enter any login credentials or interact with the page further. Report the domain to your antivirus provider and consider running a full malware scan on your device. Use caution when visiting unfamiliar domains, especially those mimicking well-known brands, and always verify URLs before clicking. Share this warning with others to prevent further victims.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260416-160B57
TLS cert SHA-256:      312a0f80aa6fc84310acf1a864baa3a6bb24286f6556b25a9653574959bbe8e5

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/cexcmss.vip/
JSON API:          https://api.destroy.tools/v1/check?domain=cexcmss.vip
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io