# PhishDestroy threat dossier — concave-device-266580.framer.app ================================================================ Fetched: 2026-06-28 08:01:30 UTC Canonical: https://phishdestroy.io/domain/concave-device-266580.framer.app/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: Aave ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 19/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, CRDF, ESET, Fortinet, G-Data, LevelBlue, Lionic, PhishLabs, Sophos URLQuery: 2 detections Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 31.43.161.6 (NL, Amsterdam) ASN: AS16509 Amazon.com, Inc. Hosting org: Framer B.V Registrar: Framer Nameservers: NS_NOT_FOUND Registered: 2026-04-29 Page title: AT&T Mail ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E8 Expires: 2026-07-06 Status: INVALID chain Fingerprint: a56001ff73b2e769ad9c3294e0330f0155d40d0a6c11de79e1b100ffba8ac44c ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-29 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-29 03:18:54 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-04-29 00:19:27 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-06-28 09:46:40 UTC Neutralised: 2026-06-06 17:33:34 UTC Current status: taken down (registrar suspended or DNS dead) Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dd699-133e-76b8-aca6-110fbab7593b/ URLQuery: https://urlquery.net/report/85c1d778-5b09-4c3e-9eee-8ce640c11f07 Wayback Machine: https://web.archive.org/web/*/concave-device-266580.framer.app crt.sh CT logs: https://crt.sh/?q=%25.concave-device-266580.framer.app Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=concave-device-266580.framer.app AlienVault OTX: https://otx.alienvault.com/indicator/domain/concave-device-266580.framer.app URLhaus: https://urlhaus.abuse.ch/host/concave-device-266580.framer.app/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-29 03:19:56 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] concave-device-266580.framer.app is a live fraudulent domain detected by PhishDestroy, actively impersonating the Aave brand to deceive users into disclosing cryptocurrency credentials or funds. The site is hosted on Framer.app, a legitimate website builder, which has been abused to deploy a site spoofing Aave’s official interface. No drainer kit fingerprint was observed during initial analysis, but the domain’s page structure closely mirrors Aave’s UI, including cloned forms and transaction simulation pages, indicating a high-fidelity impersonation campaign designed to harvest private keys or initiate malicious wallet connections. Technical indicators confirm elevated risk: VirusTotal reports a detection score of 11 out of 95 security vendors, indicating partial but not universal detection. The domain resolves to IP address 31.43.161.6 via a Let’s Encrypt SSL certificate, suggesting opportunistic encryption to appear trustworthy. While the top-level domain (framer.app) is a subdomain under Framer’s platform, the full subdomain concave-device-266580 is likely auto-generated or dynamically assigned, complicating takedown via registrar-level blocks. Google Safe Browsing (GSB) status is unconfirmed in this dataset, and no public blocklist count is provided, though 11 detections suggest partial inclusion in security feeds. The domain is newly active and lacks historical reputation, amplifying its threat potential. The domain remains active and is currently serving fraudulent content targeting Aave users. Immediate response actions include IP and domain blocking at network and endpoint levels, and reporting to Framer.app abuse channels for subdomain takedown. Aave stakeholders should issue public advisories with the domain listed, and organizations using Aave should implement DNS and browser-based blocklists. Although the risk is elevated due to active impersonation and partial detection, the absence of a known drainer kit and limited spread suggest the campaign is in early deployment. Continuous monitoring and proactive threat hunting are required to prevent user exposure and financial loss. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260429-43FA2C Favicon MD5: 810193ede98443698ba6b54575e9cf3c TLS cert SHA-256: a56001ff73b2e769ad9c3294e0330f0155d40d0a6c11de79e1b100ffba8ac44c ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/concave-device-266580.framer.app/ JSON API: https://api.destroy.tools/v1/check?domain=concave-device-266580.framer.app Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 170,941 domains (13,575 alive under monitoring, 156,953 confirmed takedowns/dead). Site: https://phishdestroy.io