# PhishDestroy threat dossier — coincorner.trade ================================================================ Fetched: 2026-04-22 08:52:44 UTC Canonical: https://phishdestroy.io/domain/coincorner.trade/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 73/100 (PhishDestroy scoring — see methodology below) Scam classification: Fake Exchange Targeted brand: Investment Scam ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 3/94 security vendors flagged this domain Flagging vendors: Netcraft ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 104.21.15.96 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: NameSilo, LLC !!! REGISTRAR INTEGRITY ALERT — NameSilo !!! NameSilo is a registrar documented by PhishDestroy as (1) publicly lying about received abuse reports, (2) shielding a $20M+ Monero-theft operation (xmrwallet.com) for 10 continuous years, and (3) retaliating against PhishDestroy by getting our X/Twitter account @Phish_Destroy banned after we published the evidence. Researchers/victims must ALWAYS CC compliance@icann.org on every abuse ticket — NameSilo has a track record of later claiming reports were never received. Primary sources: https://phishdestroy.io/namesilo-killed-our-twitter https://phishdestroy.io/xmrwallet-namesilo-exposed Nameservers: danica.ns.cloudflare.com, hayes.ns.cloudflare.com Registered: 2026-02-12 Page title: coincornertrade.com | Cryptocurrency trading and investment platform ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-07-12 Status: INVALID chain Fingerprint: 3945016493f3c91d877d164da19c4647af5c071cc1f2bf164ad61b188ef80ea2 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-02-12 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-21 14:13:41 UTC (by PhishDestroy tracker) First reported: 2026-04-21 11:14:28 UTC (abuse notice filed) Last verified: 2026-04-22 07:40:05 UTC Neutralised: 2026-04-22 04:20:55 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dafbe-0524-7226-a4f1-bda3a067f3b3/ URLQuery: https://urlquery.net/report/82eae511-79b9-4070-9596-f410ed172b81 Wayback Machine: https://web.archive.org/web/*/coincorner.trade crt.sh CT logs: https://crt.sh/?q=%25.coincorner.trade Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=coincorner.trade AlienVault OTX: https://otx.alienvault.com/indicator/domain/coincorner.trade URLhaus: https://urlhaus.abuse.ch/host/coincorner.trade/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-21 14:14:42 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] A newly registered domain, coincorner.trade, has been identified as a fraudulent cryptocurrency exchange site masquerading as the legitimate CoinCorner platform. This domain poses a significant risk to users seeking legitimate crypto services, as it leverages deceptive branding to steal credentials and sensitive financial data. The threat actor behind this scheme has registered the domain recently—on February 12, 2026—using NameSilo, LLC as the registrar, which is a common choice for malicious actors seeking anonymity and low-cost domain hosting. The domain resolves to IP address 104.21.15.96 and, despite its recent creation, has already drawn minimal attention from security vendors, with only 1 out of 95 flagging it as malicious on VirusTotal. PhishDestroy identifies this domain as an active cryptocurrency exchange phishing scam, designed to lure victims into entering their login credentials or payment details under the false pretense of accessing CoinCorner’s services. The domain’s SSL certificate, issued by Google Trust Services, may lend an air of legitimacy, but the low detection rate on VirusTotal (1/95) highlights its stealthy nature and the challenge security tools face in identifying it. Additionally, the domain’s recent registration date and the choice of registrar further underscore its malicious intent, as threat actors often exploit newly registered domains to evade detection before security mechanisms can adapt. Users who have visited coincorner.trade should immediately cease any interaction with the site and assess whether they entered any credentials or payment information. If credentials were provided, users must change their passwords immediately and enable multi-factor authentication on their legitimate CoinCorner accounts. For those who entered financial details, contacting their bank or payment provider to report potential fraud and request a card replacement is critical. Organizations are advised to block the domain at the network level and monitor for any related suspicious activity. Report any interactions with this domain to your IT security team or the appropriate cybercrime unit to aid in broader threat mitigation efforts. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260421-6CCA0A Favicon MD5: aa9b25287f982460ca2d217c7672816c TLS cert SHA-256: 3945016493f3c91d877d164da19c4647af5c071cc1f2bf164ad61b188ef80ea2 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/coincorner.trade/ JSON API: https://api.destroy.tools/v1/check?domain=coincorner.trade Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io