# PhishDestroy threat dossier — claim-something.pages.dev
================================================================

Fetched:   2026-06-27 09:26:10 UTC
Canonical: https://phishdestroy.io/domain/claim-something.pages.dev/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 97/100 (PhishDestroy scoring — see methodology below)
Scam classification: Airdrop Scam
Targeted brand: Airdrop Scam
Phishing kit: Airdrop Scam

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      0/91 security vendors flagged this domain
Public blocklists: listed on 3 independent blocklists

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      172.66.44.69 (US, San Francisco)
ASN:             ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US
Hosting org:     AS13335 Cloudflare, Inc.
Registrar:       Cloudflare, Inc.
Nameservers:     hans.ns.cloudflare.com, love.ns.cloudflare.com
Page title:      KIMCHI | Airdrop
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WE1
Expires:    2026-09-23
Status:     INVALID chain
Fingerprint: baff8fd1f965b6b3c65c800c0347482aad32b038b932dc3a8e52596f80f84678

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
First detected:    2026-06-26 13:50:36 UTC (by PhishDestroy tracker)
Last verified:     2026-06-27 10:30:17 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019f03c3-1049-7481-af4d-075c3385fa81/
Wayback Machine:  https://web.archive.org/web/*/claim-something.pages.dev
crt.sh CT logs:   https://crt.sh/?q=%25.claim-something.pages.dev
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=claim-something.pages.dev
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/claim-something.pages.dev
URLhaus:          https://urlhaus.abuse.ch/host/claim-something.pages.dev/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-06-26 13:57:03 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

The domain claim-something.pages.dev has been identified as posing a significant threat through brand impersonation, specifically targeting individuals with a fake airdrop scam. The page, titled 'KIMCHI | Airdrop', attempts to lure users into believing it is associated with legitimate cryptocurrency distributions, potentially tricking them into divulging sensitive information or engaging in fraudulent transactions. This type of attack can lead to the unauthorized draining of crypto assets, putting users at high risk of financial loss.

Technical analysis of the domain's infrastructure points to several concerning indicators. The domain is registered through Cloudflare, Inc., which provides a credible registration front that can often mask nefarious activities. Its IP resolves to 172.66.44.69, and although it is currently active, it has not yet been flagged by security systems on VirusTotal, which shows 0 out of 95 detections. This suggests that the site is either utilizing advanced methods to avoid detection or is newly established, evading existing blocklists and malware databases. The SSL certificate issued by Google Trust Services further adds a layer of false legitimacy to the site.

Users who visited the domain should immediately take measures to protect their online security. They should check for any unauthorized transactions from their cryptocurrency accounts and consider changing their login credentials to mitigate potential damages. Consulting a cybersecurity professional for a detailed account review may also be advisable. General recommendations include avoiding sharing sensitive data on unverified sites and using multi-factor authentication whenever possible to enhance security. Regularly updating security filters and relying on reputable anti-phishing tools can help prevent future incidents.

## EVIDENCE HASHES
----------------------------------------------------------------
Favicon MD5:       07faff04e2f03f71bfb9286d01af6ef8
TLS cert SHA-256:      baff8fd1f965b6b3c65c800c0347482aad32b038b932dc3a8e52596f80f84678

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/claim-something.pages.dev/
JSON API:          https://api.destroy.tools/v1/check?domain=claim-something.pages.dev
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 170,806 domains (12,465 alive under monitoring, 157,937 confirmed takedowns/dead). Site: https://phishdestroy.io