# PhishDestroy threat dossier — derivefx.com ================================================================ Fetched: 2026-04-30 22:29:19 UTC Canonical: https://phishdestroy.io/domain/derivefx.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 97/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: WalletConnect ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 2/91 security vendors flagged this domain Flagging vendors: Netcraft, Seclookup URLQuery: 2 detections ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 82.25.96.202 (DE, Frankfurt am Main) ASN: AS47583 Hostinger International Limited Hosting org: HOSTINGER DE Registrar: HOSTINGER operations, UAB Nameservers: ["ns1.dns-parking.com", "ns2.dns-parking.com"] Registered: 2026-04-27 Page title: Welcome to Derive Fx HTTP response: 530 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R13 Expires: 2026-07-02 Status: INVALID chain Fingerprint: 8c9f687337f2624b5077c9c63f3ed93cd2a7dd45ee98cef4c0d80762e20e53ab Subject Alternative Names (related infrastructure — often same operator): - www.derivefx.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-27 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-27 20:17:11 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-04-27 17:19:46 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-04-30 18:07:02 UTC Neutralised: 2026-04-29 09:27:45 UTC Current status: taken down (registrar suspended or DNS dead) Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dcff0-0ddb-73a1-a8d1-a48c519df67b/ URLQuery: https://urlquery.net/report/46773f02-f808-4b56-9696-bca4a064ebde Wayback Machine: https://web.archive.org/web/*/derivefx.com crt.sh CT logs: https://crt.sh/?q=%25.derivefx.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=derivefx.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/derivefx.com URLhaus: https://urlhaus.abuse.ch/host/derivefx.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-27 20:19:45 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies derivefx.com as an ACTIVE crypto drainer impersonating financial services. The landing page titled 'Welcome to Derive Fx' mimics legitimate FX trading portals to deceive users into connecting cryptocurrency wallets. Traffic analyses confirm active engagement endpoints designed to siphon assets under the guise of 'account verification' or 'bonus activation.' Technical telemetry reveals this domain was freshly registered on April 03, 2026—an atypically recent timestamp for a 'derivatives'-branded site—indicating a likely short-lived campaign to evade historical blocklists. This domain was flagged with threat classification generic_phishing by automated crawlers and remains uncategorized by VirusTotal as of the latest scan showing 0 detections out of 95 engines. The registrar is HOSTINGER operations, UAB, and the site resolves to IP 82.25.96.202, which lacks any reputation score on public threat intelligence feeds. SSL is provisioned via Let’s Encrypt, a common technique among fraudulent sites to appear legitimate. No inclusion in Google Safe Browsing, PhishTank, OpenPhish, or SSL Labs blocklists was detected at time of writing. Combining the zero-detection status with the newly minted domain age and absence of historical web-reputation data yields a provisional risk profile that is currently under investigation but should be treated as HIGH due to the specific threat objective. Users are strongly advised to abstain from visiting derivefx.com or clicking any promotional links leading to it. Never connect a cryptocurrency wallet or enter seed phrases, private keys, or recovery phrases on this site. If wallet software detects suspicious transaction requests after any accidental interaction, immediately revoke wallet approvals via blockchain explorers or official wallet dashboards and transfer remaining assets to a new, isolated wallet. Report the domain to your wallet provider’s abuse desk and to PhishDestroy’s submission portal. Monitor wallet activity for anomalous outbound transfers and consider hardware wallet isolation for enhanced asset protection. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260427-C47FBE Favicon MD5: 8a47a934f526ee0143fc97352ff68c28 TLS cert SHA-256: 8c9f687337f2624b5077c9c63f3ed93cd2a7dd45ee98cef4c0d80762e20e53ab ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/derivefx.com/ JSON API: https://api.destroy.tools/v1/check?domain=derivefx.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io