# PhishDestroy threat dossier — crystalmark-io.com.cn ================================================================ Fetched: 2026-07-17 01:29:33 UTC Canonical: https://phishdestroy.io/domain/crystalmark-io.com.cn/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Brand Impersonation ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 14/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, BitDefender, CRDF, CyRadar, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, LevelBlue, Lionic, SOCRadar, Sophos, VIPRE AlienVault OTX: 4 pulses (threat-intel feed mentions) Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 154.209.97.151 (HK, Tung Chung) ASN: ASAS132839 POWERLINE-AS-AP - POWER LINE DATACENTER, HK Hosting org: AS132839 POWER LINE DATACENTER Registrar: 北京新网数码信息技术有限公司 Nameservers: ns1.363.hk, ns2.363.hk Registered: 2026-06-26 Expires: 2027-06-26 Page title: CrystalDiskInfo 官方中文站 | 硬盘健康检测 S.M.A.R.T 监控 免费下载 HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR1 Expires: 2026-09-24 Status: INVALID chain Fingerprint: c5b03a680adcc037ecb1aba784f4dd417186910efb237677154ccd555364407b Subject Alternative Names (related infrastructure — often same operator): - www.crystalmark-io.com.cn ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-26 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-06 14:42:22 UTC (by PhishDestroy tracker) Last verified: 2026-07-17 00:20:45 UTC Neutralised: 2026-07-06 18:16:50 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f3771-a3f1-7593-b331-3811ef309a63/ Wayback Machine: https://web.archive.org/web/*/crystalmark-io.com.cn crt.sh CT logs: https://crt.sh/?q=%25.crystalmark-io.com.cn Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=crystalmark-io.com.cn AlienVault OTX: https://otx.alienvault.com/indicator/domain/crystalmark-io.com.cn URLhaus: https://urlhaus.abuse.ch/host/crystalmark-io.com.cn/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-12 19:55:03 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] Analysis indicates that crystalmark-io.com.cn is an active malicious site hosting a phishing impersonation campaign. The domain was registered on 26 June 2026 through 北京新网数码信息技术有限公司 and is hosted on IP 154.209.97.151, which resolves to a Hong Kong data centre (AS132839 POWER LINE DATACENTER). Authoritative nameservers ns1.363.hk and ns2.363.hk are in use. The web server presents a valid Let's Encrypt (YR1) certificate and operates Nginx with HTTP Strict Transport Security and HTTP/3 support, returning HTTP 200 for the landing page. The page title references “CrystalDiskInfo 官方中文站 | 硬盘健康检测 S.M.A.R.T 监控 免费下载”, suggesting an attempt to masquerade as a legitimate Chinese software download site. Security telemetry shows the domain appears on three blocklists and is currently blocked by SEAL, MetaMask and PhishDestroy. VirusTotal analysis reports 14 of 91 scanners flagging the domain, and Gridinsoft assigns a trust score of 0 / 100. AlienVault OTX lists the indicator in four distinct threat pulses. Uncertainty remains regarding the exact payload or credential‑collection mechanism, as no content inspection has been performed. Defenders should block DNS resolution to the domain, enforce web‑proxy filtering for the associated IP and certificate fingerprint, and monitor for any outbound connections to the host. Continuous re‑scan with multi‑engine services is recommended to capture any evolving indicators. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 26cede8409b0b835686b5e3bcdccf90b TLS cert SHA-256: c5b03a680adcc037ecb1aba784f4dd417186910efb237677154ccd555364407b ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/crystalmark-io.com.cn/ JSON API: https://api.destroy.tools/v1/check?domain=crystalmark-io.com.cn Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 179,550 domains (51,015 alive under monitoring, 128,535 confirmed takedowns/dead). Site: https://phishdestroy.io