# PhishDestroy threat dossier — claim.poiymark.xyz ================================================================ Fetched: 2026-07-13 07:29:40 UTC Canonical: https://phishdestroy.io/domain/claim.poiymark.xyz/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Crypto Drainer ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 14/91 security vendors flagged this domain Flagging vendors: ChainPatrol, alphaMountain.ai, BitDefender, Chong Lua Dao, CRDF, CyRadar, Forcepoint ThreatSeeker, G-Data, Gridinsoft, Kaspersky, LevelBlue, SOCRadar, Webroot, Yandex Safebrowsing URLQuery: 2 detections Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.67.145.227 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: DYNADOT LLC Nameservers: ["sara.ns.cloudflare.com", "wilson.ns.cloudflare.com"] Registered: 2026-06-08 Page title: Take part in an exclusive event! HTTP response: 404 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E8 Expires: 2026-07-24 Status: INVALID chain Fingerprint: 14018124a29065d72c1a6bb83a8d062e5bc50ebc71ab95ed72bc7b6306b0a608 Subject Alternative Names (related infrastructure — often same operator): - poiymark.xyz ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-08 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-09 05:31:16 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-06-08 14:54:54 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-07-13 08:20:41 UTC Neutralised: 2026-06-15 00:47:31 UTC Current status: taken down (registrar suspended or DNS dead) Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019ea7b5-e805-768f-b77a-44858be6087c/ URLQuery: https://urlquery.net/report/dca88b04-d6ad-4b5b-a100-11ef1ee153e5 Wayback Machine: https://web.archive.org/web/*/claim.poiymark.xyz crt.sh CT logs: https://crt.sh/?q=%25.claim.poiymark.xyz Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=claim.poiymark.xyz AlienVault OTX: https://otx.alienvault.com/indicator/domain/claim.poiymark.xyz URLhaus: https://urlhaus.abuse.ch/host/claim.poiymark.xyz/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-26 01:43:37 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain is flagged as a high-risk crypto drainer, a specialized threat designed to siphon cryptocurrency assets by tricking users into authorizing malicious transactions. Analysis indicates the domain impersonates exclusive event promotions to lure victims into connecting their digital wallets, where automated scripts drain funds upon interaction. The threat category is confirmed as a crypto drainer, distinct from generic phishing due to its direct financial exfiltration mechanism targeting blockchain assets. Infrastructure analysis reveals multiple red flags: the domain claim.poiymark.xyz was registered on June 08, 2026, through DYNADOT LLC and currently resolves to the IP address 172.67.145.227. It is detected by 12 out of 95 security vendors on VirusTotal and appears on three independent security blocklists. The SSL certificate is issued by Let's Encrypt, a common but not inherently malicious provider, while the page title, 'Take part in an exclusive event!', aligns with known social engineering tactics used in crypto drainer campaigns. The domain is currently offline, though this status may change rapidly. Mitigation against crypto drainer threats requires strict wallet security protocols. Users should avoid connecting wallets to unverified websites, particularly those promoting exclusive events or airdrops. Wallet software should be configured to require explicit transaction approval and to display clear warnings for high-risk contract interactions. Network-level protections, such as blocklist integration, can prevent access to known malicious domains. Post-exposure, affected users must immediately revoke all active wallet authorizations and transfer remaining assets to a new, secure wallet address to mitigate further losses. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260608-F6F282 TLS cert SHA-256: 14018124a29065d72c1a6bb83a8d062e5bc50ebc71ab95ed72bc7b6306b0a608 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/claim.poiymark.xyz/ JSON API: https://api.destroy.tools/v1/check?domain=claim.poiymark.xyz Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,026 domains (49,756 alive under monitoring, 128,270 confirmed takedowns/dead). Site: https://phishdestroy.io