# PhishDestroy threat dossier — defibitpro.com
================================================================

Fetched:   2026-05-25 11:01:06 UTC
Canonical: https://phishdestroy.io/domain/defibitpro.com/

## VERDICT
----------------------------------------------------------------
STATUS STALE — last probed 42 days ago, treat as ACTIVE until re-verified
Composite threat score: 57/100 (PhishDestroy scoring — see methodology below)
Scam classification: cryptocurrency

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      2/93 security vendors flagged this domain
  Flagging vendors: Gridinsoft, SOCRadar
URLQuery:        2 detections
Public blocklists: listed on 1 independent blocklist
Victim re-reports (public form): 1

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      198.251.89.220 (US, Cheyenne)
ASN:             ASAS53667 FranTech Solutions
Hosting org:     AS53667 FranTech Solutions
Registrar:       Global Domain Group LLC
Nameservers:     ["ns27.my-control-panel.com", "ns28.my-control-panel.com"]
Registered:      2026-02-21
Expires:         2027-01-22
Page title:      Problem loading page
HTTP response:   500

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / R13
Expires:    2026-04-22
Status:     INVALID chain
Fingerprint: c97ad60c3241044ced77f7661af1f929d8487ce1e8bdc9fe0721849859d7cf4c
Subject Alternative Names (related infrastructure — often same operator):
  - defibitpro.com.spacetradeinvest.com
  - www.app.defibitpro.com
  - www.defibitpro.com.spacetradeinvest.com

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-02-21 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-02-25 02:39:27 UTC (by PhishDestroy tracker)
Earliest abuse rec: 2026-02-14 00:37:03 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name
Last verified:     2026-04-12 22:45:00 UTC (STALE — 42 days ago, re-verify)
Flagged dead:      2026-02-28 16:31:02 UTC (NOT RE-VERIFIED IN 42 DAYS — treat as unconfirmed)
Current status:    UNCONFIRMED (our live-probe is 42 days stale)

Note: one or more events above predate the WHOIS creation date. This typically means
the same domain name was previously registered, detected, dropped, and then re-registered
by a new party. PhishDestroy preserves the full historical record for operator-attribution
research even when the underlying infrastructure changes hands.

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019c5691-5eec-751d-9591-23540e0495eb/
URLQuery:         https://urlquery.net/report/27d0fb7f-55c4-42a4-9a19-ec6b995865f8
Wayback Machine:  https://web.archive.org/web/*/defibitpro.com
crt.sh CT logs:   https://crt.sh/?q=%25.defibitpro.com
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=defibitpro.com
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/defibitpro.com
URLhaus:          https://urlhaus.abuse.ch/host/defibitpro.com/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-03-19 15:32:18 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

The domain defibitpro.com operates as a cryptocurrency drainer, which means it's designed to steal digital assets from users' wallets when they connect to the site. These malicious sites often mimic legitimate crypto platforms to trick users into authorizing transactions that drain their funds.

Security analysis reveals this domain was created on February 21, 2026 through Global Domain Group LLC and uses PHP, Tailwind CSS, and LiteSpeed technologies. VirusTotal shows 2 out of 95 security vendors flag this domain, and it appears on 1 security blocklist, specifically being blocked by PhishDestroy. The domain currently resolves to IP address 198.251.89.220 but has been taken offline.

If you visited defibitpro.com and connected your cryptocurrency wallet, immediately disconnect your wallet from the site and revoke any permissions granted. Transfer any remaining funds to a new, secure wallet address, and monitor your transactions for unauthorized activity. Consider using wallet security tools to scan for malicious connections and report the incident to relevant crypto security communities.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260214-7A5FED
Favicon SHA-256:       826c1c8429a1d696efe8e3dde929d5007a3dbf00163fd60c256b59f7e94403c5
TLS cert SHA-256:      c97ad60c3241044ced77f7661af1f929d8487ce1e8bdc9fe0721849859d7cf4c

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/defibitpro.com/
JSON API:          https://api.destroy.tools/v1/check?domain=defibitpro.com
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 152,979 domains (39,600 alive under monitoring, 112,923 confirmed takedowns/dead). Site: https://phishdestroy.io