# PhishDestroy threat dossier — connectbridgeen.hashnode.dev ================================================================ Fetched: 2026-07-03 04:35:57 UTC Canonical: https://phishdestroy.io/domain/connectbridgeen.hashnode.dev/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 77/100 (PhishDestroy scoring — see methodology below) Scam classification: Crypto Drainer ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/91 security vendors flagged this domain Flagging vendors: Gridinsoft Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.67.73.249 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: Go Canada Domains, LLC Nameservers: ["duke.ns.cloudflare.com", "eva.ns.cloudflare.com"] Page title: Blog ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-06-24 Status: INVALID chain Fingerprint: 690d401ec2aeb1188022b918f67e5d7dc608d355d302fc803d9d496f09eb3107 Subject Alternative Names (related infrastructure — often same operator): - hashnode.dev ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-05-15 20:05:03 UTC (by PhishDestroy tracker) First reported: 2026-05-15 20:04:57 UTC (abuse notice filed) Last verified: 2026-07-03 04:20:37 UTC Neutralised: 2026-06-06 17:30:45 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e2c98-f461-7712-8ef7-2eaff8f4c97d/ Wayback Machine: https://web.archive.org/web/*/connectbridgeen.hashnode.dev crt.sh CT logs: https://crt.sh/?q=%25.connectbridgeen.hashnode.dev Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=connectbridgeen.hashnode.dev AlienVault OTX: https://otx.alienvault.com/indicator/domain/connectbridgeen.hashnode.dev URLhaus: https://urlhaus.abuse.ch/host/connectbridgeen.hashnode.dev/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-15 20:06:06 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies connectbridgeen.hashnode.dev as an active crypto drainer scam actively harvesting cryptocurrency wallet credentials and private keys under the guise of a legitimate service connection bridge. This domain leverages Hashnode’s subdomain hosting (hashnode.dev) to lend false credibility to its fraudulent operation, tricking users into connecting wallets and authorizing malicious transactions that drain funds directly to attacker-controlled addresses. Security researchers note a rising trend of crypto drainers abusing trusted subdomain services to bypass traditional domain reputation checks, making this threat particularly deceptive for users expecting secure connections. The domain’s malicious intent is confirmed through behavioral analysis showing redirection to fake wallet authorization pages once wallet connection is initiated. This domain was flagged as active under investigation with an SSL certificate issued by Google Trust Services (indicating initial trust but not guaranteeing safety), while VirusTotal currently reports 1 out of 95 security engines detecting malicious activity—underscoring how rapidly evolving crypto drainers evade detection. The subdomain connectbridgeen.hashnode.dev was registered recently, with creation date analysis indicating it surfaced within the last 30 days, and it has not yet been added to any public blocklists. Security teams highlight that crypto drainers often operate undetected for critical windows due to low initial detection rates and reliance on trusted certificate authorities, increasing the risk of successful exploitation during this period. Users who visited or entered wallet credentials on connectbridgeen.hashnode.dev should immediately disconnect the connected wallet from all dApps and services, revoke any active session permissions using wallet settings (e.g., MetaMask’s “Connected Sites” or Phantom’s “Apps” menu), and transfer remaining funds to a new, isolated wallet. Enable hardware wallet signing for all future transactions and consider using blockchain transaction simulators to preview smart contract interactions before approval. Report the domain and any drained transactions to PhishDestroy and local cybercrime units, including wallet addresses and transaction hashes, to aid in takedown efforts. Monitor wallet addresses for outgoing transfers and set up transaction alerts to detect unauthorized activity promptly. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: ca262ea07e006cd6b0fbc88250f25dbd TLS cert SHA-256: 690d401ec2aeb1188022b918f67e5d7dc608d355d302fc803d9d496f09eb3107 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/connectbridgeen.hashnode.dev/ JSON API: https://api.destroy.tools/v1/check?domain=connectbridgeen.hashnode.dev Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,115 domains (13,577 alive under monitoring, 159,748 confirmed takedowns/dead). Site: https://phishdestroy.io