# PhishDestroy threat dossier — check-aml.life ================================================================ Fetched: 2026-04-24 18:40:01 UTC Canonical: https://phishdestroy.io/domain/check-aml.life/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: AML Scam ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 4/95 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, Gridinsoft, Kaspersky URLQuery: 3 detections Public blocklists: listed on 2 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 109.107.168.175 (RU, Moscow) ASN: AS200823 MHost LLC Hosting org: Partner Hosting LTD Registrar: Global Domain Group LLC Nameservers: etta.ns.cloudflare.com, lee.ns.cloudflare.com Registered: 2026-04-05 Expires: 2027-04-05 Page title: AML Trust Lab | Secure Computation Network for Blockchain-adapted Cryptography HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R13 Expires: 2026-07-04 Status: INVALID chain Fingerprint: 7c76b227c2a3a25120642a7e318c41bfea340e880b457c1f74a01e23c541654f Subject Alternative Names (related infrastructure — often same operator): - api.check-aml.life ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-05 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-24 16:33:11 UTC (by PhishDestroy tracker) First reported: 2026-04-24 13:34:00 UTC (abuse notice filed) Last verified: 2026-04-24 19:50:06 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dbfb0-dbba-714a-8f80-1ab316061d82/ URLQuery: https://urlquery.net/report/af8acdc2-9430-495c-a1b4-bd0c5f3bc16d Wayback Machine: https://web.archive.org/web/*/check-aml.life crt.sh CT logs: https://crt.sh/?q=%25.check-aml.life Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=check-aml.life AlienVault OTX: https://otx.alienvault.com/indicator/domain/check-aml.life URLhaus: https://urlhaus.abuse.ch/host/check-aml.life/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-24 16:34:06 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies the domain check-aml.life as an active generic phishing threat posing as an Anti-Money Laundering (AML) compliance portal. The domain is currently classified as an elevated-risk threat and remains in active operation. This domain was flagged by 4 of 95 VirusTotal security vendors and is blocked by SEAL and MetaMask security solutions. It was registered through Global Domain Group LLC on April 05, 2026, and resolves to IP address 109.107.168.175. Additionally, the domain appears on two separate security blocklists and utilizes a Let’s Encrypt SSL certificate, suggesting an attempt to appear legitimate. Given its active status and confirmed malicious indicators, users are strongly advised to avoid accessing check-aml.life. Security teams should block this domain at the network perimeter and update firewall rules to include IP 109.107.168.175. Any recent or ongoing interactions with this domain should be treated as a potential compromise and investigated immediately. Implement heightened monitoring for lateral movement or credential harvesting attempts within the affected network segment. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260424-4DD54F Favicon MD5: 6f51002c6045cf0f719cd1979e7db0dc TLS cert SHA-256: 7c76b227c2a3a25120642a7e318c41bfea340e880b457c1f74a01e23c541654f ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/check-aml.life/ JSON API: https://api.destroy.tools/v1/check?domain=check-aml.life Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io