# PhishDestroy threat dossier — connect-jupier-exchage-cdn.pages.dev ================================================================ Fetched: 2026-05-03 05:41:52 UTC Canonical: https://phishdestroy.io/domain/connect-jupier-exchage-cdn.pages.dev/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 92/100 (PhishDestroy scoring — see methodology below) Scam classification: Fake Exchange Targeted brand: Jupiter ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/91 security vendors flagged this domain ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.97.3 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: CloudFlare, Inc. Registrar: Cloudflare, Inc. Nameservers: leonard.ns.cloudflare.com, molly.ns.cloudflare.com Registered: 2026-04-30 Page title: Jupiter Exchange | Non-Custodial Solana DEX for Pro-Level Trading HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-07-07 Status: INVALID chain Fingerprint: 2c67375298eaf83c61f149a5fb832ada92765ebc0c8c0604214575afa57dc14c ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-30 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-30 20:55:24 UTC (by PhishDestroy tracker) Last verified: 2026-05-02 19:40:10 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019ddf84-1a26-741f-bc8e-1a37b554e00e/ Wayback Machine: https://web.archive.org/web/*/connect-jupier-exchage-cdn.pages.dev crt.sh CT logs: https://crt.sh/?q=%25.connect-jupier-exchage-cdn.pages.dev Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=connect-jupier-exchage-cdn.pages.dev AlienVault OTX: https://otx.alienvault.com/indicator/domain/connect-jupier-exchage-cdn.pages.dev URLhaus: https://urlhaus.abuse.ch/host/connect-jupier-exchage-cdn.pages.dev/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-30 20:59:40 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] connect-jupier-exchage-cdn.pages.dev poses a verified impersonation risk linked to Jupiter Exchange, a Solana-based decentralized exchange (DEX) known for non-custodial trading. This domain mimics the official project’s branding and service description to deceive users into interacting with a fraudulent platform. The fraudulent site imitates Jupiter’s offerings, complete with a misleading page title that replicates legitimate product language, creating a high-confidence lure for crypto traders seeking advanced trading tools. Initial analysis indicates this is an active brand hijacking campaign with clear intent to steal funds or harvest credentials under the guise of a trustworthy DEX. PhishDestroy has flagged this domain under the unique seed identifier 479bbd as part of a targeted impersonation operation. This fraudulent domain resolves to 188.114.97.3 and is hosted behind Cloudflare, using a Google Trust Services SSL certificate to enhance credibility. Despite being registered through Cloudflare, Inc.—a common tactic among threat actors to obscure hosting origin—the domain remains undetected on VirusTotal, with a scan result of 0 out of 95 security engines flagging malicious content. This low detection rate may reflect either evasion tactics or a recent deployment. The site mimics Jupiter Exchange’s branding by using a near-identical page title: 'Jupiter Exchange | Non-Custodial Solana DEX for Pro-Level Trading,' which closely mirrors the legitimate site’s language to increase deception effectiveness. While full historical visibility is limited due to Cloudflare’s privacy protections, the lack of detection underscores the need for proactive monitoring and rapid escalation. Users and organizations are strongly advised to avoid accessing connect-jupier-exchage-cdn.pages.dev entirely. Instead, always navigate directly to the official Jupiter Exchange platform at jup.io or verified social channels. Organizations should deploy automated domain monitoring tools that track newly registered domains (NRDs) resembling Jupiter’s branding, and integrate real-time threat intelligence feeds to detect similar impersonations. Security teams are urged to block the IP address 188.114.97.3 and report this domain via threat intelligence platforms and incident response channels. Immediate takedown requests should be submitted to Cloudflare, referencing the abuse contact and domain details. By treating all unknown domains as potential impersonation vectors—especially those mimicking crypto DEXs—users can significantly reduce exposure to credential theft or wallet drain attacks. Continuous monitoring and user education on domain verification remain critical defenses against evolving brand impersonation campaigns. ## EVIDENCE HASHES ---------------------------------------------------------------- TLS cert SHA-256: 2c67375298eaf83c61f149a5fb832ada92765ebc0c8c0604214575afa57dc14c ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/connect-jupier-exchage-cdn.pages.dev/ JSON API: https://api.destroy.tools/v1/check?domain=connect-jupier-exchage-cdn.pages.dev Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 144,880 domains (52,889 alive under monitoring, 91,737 confirmed takedowns/dead). Site: https://phishdestroy.io