# PhishDestroy threat dossier — claimyourtoken.com ================================================================ Fetched: 2026-07-03 18:48:25 UTC Canonical: https://phishdestroy.io/domain/claimyourtoken.com/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 98/100 (PhishDestroy scoring — see methodology below) Targeted brand: OKX Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 2/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/91 security vendors flagged this domain Flagging vendors: Forcepoint ThreatSeeker Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.67.195.36 (US, San Francisco) ASN: ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US Hosting org: AS13335 Cloudflare, Inc. Registrar: Wild West Domains, LLC Nameservers: elle.ns.cloudflare.com, gerald.ns.cloudflare.com Registered: 2026-03-10 Expires: 2028-03-10 Page title: $DOOD by Doodles HTTP response: 200 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-03-10 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-03 03:53:51 UTC (by PhishDestroy tracker) First reported: 2026-07-03 01:55:10 UTC (abuse notice filed) Last verified: 2026-07-03 20:46:46 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f25ad-eebf-73ba-8915-7986512bad21/ URLQuery: https://urlquery.net/report/ce06ed1c-6599-49a2-9258-06bf7dc7c983 Wayback Machine: https://web.archive.org/web/*/claimyourtoken.com crt.sh CT logs: https://crt.sh/?q=%25.claimyourtoken.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=claimyourtoken.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/claimyourtoken.com URLhaus: https://urlhaus.abuse.ch/host/claimyourtoken.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-03 03:54:40 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, claimyourtoken.com, is flagged for brand impersonation targeting OKX, a major cryptocurrency exchange platform. The site presents itself as a promotional portal for a $DOOD token initiative by Doodles, a known NFT project, which is atypical for the targeted brand’s legitimate operations. Brand impersonation in this context typically aims to deceive users into connecting wallets or divulging credentials under the guise of exclusive token distributions, a common vector for cryptocurrency drainer kits or credential harvesting schemes. The use of a trending NFT project name in the page title suggests an attempt to exploit current market interest and user curiosity to maximize engagement with the fraudulent infrastructure. Infrastructure analysis reveals the following technical indicators: the domain resolves to the IP address 188.114.97.3, which is associated with a content delivery network known for hosting both legitimate and malicious content. It was registered on March 10, 2026, through Wild West Domains, LLC, a registrar frequently utilized for both benign and malicious domains. The SSL certificate is issued by Google Trust Services, providing an appearance of legitimacy. VirusTotal reports 0 detections out of 95 security engines, indicating the domain has not yet been flagged by major threat intelligence feeds. No entries are present in Google Safe Browsing or other prominent blocklists at the time of assessment. The creation date, set in the future (2026), is anomalous and may indicate an attempt to evade automated detection systems that rely on domain age as a risk factor. The domain remains active and under investigation, with no takedown or mitigation actions observed as of this analysis. The absence of detections on VirusTotal and blocklists does not preclude malicious intent, particularly given the domain’s impersonation of a high-value cryptocurrency brand and the use of social engineering tactics. Users are advised to exercise extreme caution and avoid interacting with the site, particularly any requests to connect wallets or input sensitive information. Organizations targeted by this impersonation should monitor for similar domains and consider preemptive blocklisting of the IP address 188.114.97.3 within their security infrastructure. Further monitoring of the domain’s behavior and network traffic is recommended to assess the full scope of the threat and identify potential affiliate infrastructure or downstream payload delivery mechanisms. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260703-5FD5C6 Favicon MD5: d049f63b080aecd71c204caeca8790a8 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/claimyourtoken.com/ JSON API: https://api.destroy.tools/v1/check?domain=claimyourtoken.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,407 domains (13,157 alive under monitoring, 160,432 confirmed takedowns/dead). Site: https://phishdestroy.io