# PhishDestroy threat dossier — defi-exchange.online ================================================================ Fetched: 2026-07-12 16:23:00 UTC Canonical: https://phishdestroy.io/domain/defi-exchange.online/ ## VERDICT ---------------------------------------------------------------- HIGH THREAT — malicious activity confirmed Composite threat score: 74/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 4/95 security vendors flagged this domain Flagging vendors: alphaMountain.ai, ESET, Fortinet, SOCRadar AlienVault OTX: 2 pulses (threat-intel feed mentions) Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.67.181.154 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: West263 International Limited Nameservers: erin.ns.cloudflare.com, kenneth.ns.cloudflare.com Registered: 2026-07-01 Expires: 2027-07-01 Page title: NexusTrade HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-09-29 Status: INVALID chain Fingerprint: 420ebfe4d5086f9d8e3a3905dfff1e60a2d232dda3e3a6d980e657ce18218e08 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-07-01 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-12 13:52:54 UTC (by PhishDestroy tracker) Last verified: 2026-07-12 18:20:28 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f562b-fb1f-712a-88d5-ca8d9e74ec75/ Wayback Machine: https://web.archive.org/web/*/defi-exchange.online crt.sh CT logs: https://crt.sh/?q=%25.defi-exchange.online Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=defi-exchange.online AlienVault OTX: https://otx.alienvault.com/indicator/domain/defi-exchange.online URLhaus: https://urlhaus.abuse.ch/host/defi-exchange.online/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-12 17:18:45 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The domain defi-exchange.online is currently active and has been identified as a crypto‑drainer site. The page title presented to visitors is “NexusTrade”, suggesting a fabricated exchange interface intended to lure cryptocurrency users. The domain was registered on July 1 2026 through West263 International Limited and is hosted behind Cloudflare’s network, using the IP address 172.67.181.154 located in Canada. Technical fingerprinting shows the site is built with Vue.js and loads external assets from jsDelivr, while enforcing HTTP Strict Transport Security (HSTS) and serving content over HTTP/3. Cloudflare Browser Insights and standard Cloudflare headers are present, confirming the use of Cloudflare’s edge services. The SSL certificate is issued by Google Trust Services under the WE1 identifier, and the authoritative nameservers are erin.ns.cloudflare.com and kenneth.ns.cloudflare.com. Open‑source threat feeds have flagged the domain on three security blocklists, and it appears in two AlienVault OTX pulses. Independent scanning on VirusTotal returned four detections out of ninety‑five scanners, indicating a non‑trivial malicious profile. The site has been blocked by multiple anti‑phishing solutions, including PhishDestroy, MetaMask, and SEAL, reinforcing the assessment that it is being used to harvest private keys or redirect transactions to attacker‑controlled wallets. Defenders should add defi‑exchange.online to network‑level deny lists and configure web‑filtering solutions to block HTTP and HTTPS requests to the domain. Monitoring for DNS queries to the associated Cloudflare IP range can help identify compromised hosts attempting to reach the service. Incident responders should treat any credential or wallet address exposure from this site as compromised and advise affected users to rotate keys and review recent blockchain activity. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 5815dc1542daeba6ad15f0eb6d70cd86 TLS cert SHA-256: 420ebfe4d5086f9d8e3a3905dfff1e60a2d232dda3e3a6d980e657ce18218e08 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/defi-exchange.online/ JSON API: https://api.destroy.tools/v1/check?domain=defi-exchange.online Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 177,800 domains (49,496 alive under monitoring, 128,230 confirmed takedowns/dead). Site: https://phishdestroy.io