# PhishDestroy threat dossier — claim-txt-esl-org.help ================================================================ Fetched: 2026-07-05 04:53:23 UTC Canonical: https://phishdestroy.io/domain/claim-txt-esl-org.help/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 83/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 12/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, BitDefender, ESET, Emsisoft, Fortinet, G-Data, Google Safebrowsing, Kaspersky, Netcraft, OpenPhish, SOCRadar, Sophos Public blocklists: listed on 2 independent blocklists Google Safe Browsing: FLAGGED ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 52.144.46.173 (US, New York) ASN: AS36007 Kamatera, Inc. Hosting org: Cloud Web Manage Registrar: Porkbun LLC Nameservers: curitiba.ns.porkbun.com, fortaleza.ns.porkbun.com, maceio.ns.porkbun.com, salvador.ns.porkbun.com Registered: 2026-07-04 Expires: 2027-07-04 Page title: ESL Federal Credit Union - Log in ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: tyndall-claims.sbs Expires: 2027-06-30 Status: INVALID chain Fingerprint: 97fbf1f57638bc5f14aea906e9040fc244cbaacc302c5361da75144f4ed6bfb1 Subject Alternative Names (related infrastructure — often same operator): - autodiscover.tyndall-claims.sbs - cpanel.tyndall-claims.sbs - cpcalendars.tyndall-claims.sbs - cpcontacts.tyndall-claims.sbs - mail.tyndall-claims.sbs - tyndall-claims.sbs - webdisk.tyndall-claims.sbs - webmail.tyndall-claims.sbs - www.tyndall-claims.sbs ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-07-04 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-04 14:20:11 UTC (by PhishDestroy tracker) First reported: 2026-07-04 12:28:30 UTC (abuse notice filed) Last verified: 2026-07-05 06:46:39 UTC Neutralised: 2026-07-04 18:17:26 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f2d10-9ac3-7407-b6a3-f42894d8873d/ URLQuery: https://urlquery.net/report/1175cb2a-2869-4c4f-9aeb-bc7ccbc53896 Wayback Machine: https://web.archive.org/web/*/claim-txt-esl-org.help crt.sh CT logs: https://crt.sh/?q=%25.claim-txt-esl-org.help Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=claim-txt-esl-org.help AlienVault OTX: https://otx.alienvault.com/indicator/domain/claim-txt-esl-org.help URLhaus: https://urlhaus.abuse.ch/host/claim-txt-esl-org.help/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-04 14:25:42 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, claim-txt-esl-org.help, poses a high-risk crypto drainer threat designed to steal cryptocurrency and login credentials. The site mimics the appearance of ESL Federal Credit Union’s login page, tricking visitors into entering sensitive information. Once credentials are entered, automated scripts drain digital wallets or hijack accounts, leading to immediate financial loss for victims. The threat is particularly dangerous due to its targeted impersonation of a trusted financial institution, increasing the likelihood of successful deception. Analysis indicates this domain is part of an active phishing infrastructure. It was registered on July 04, 2026, through Porkbun LLC and currently resolves to the IP address 52.144.46.173. Security vendors on VirusTotal flagged the domain as malicious, with 11 out of 95 engines detecting it as a threat. Google Safe Browsing also classifies it under the SOCIAL_ENGINEERING category, confirming its use in deceptive practices. The SSL certificate is issued directly to claim-txt-esl-org.help, a common tactic to appear legitimate while concealing malicious intent. If you or someone you know visited this domain, immediate action is required. Disconnect the device from the internet to prevent further data transmission. Run a full scan using updated security software to detect and remove any malware. Change passwords for all financial accounts, especially those associated with ESL Federal Credit Union, using a separate, secure device. Enable multi-factor authentication where available. Monitor bank and cryptocurrency accounts for unauthorized transactions and report any suspicious activity to the affected institution. Consider freezing credit reports to prevent identity theft. Users should also report the domain to their local cybersecurity authorities to aid in takedown efforts. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260704-55809D Favicon MD5: 3cc5785be1e5c9462f29dfdb389acf10 TLS cert SHA-256: 97fbf1f57638bc5f14aea906e9040fc244cbaacc302c5361da75144f4ed6bfb1 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/claim-txt-esl-org.help/ JSON API: https://api.destroy.tools/v1/check?domain=claim-txt-esl-org.help Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,839 domains (12,676 alive under monitoring, 161,290 confirmed takedowns/dead). Site: https://phishdestroy.io