# PhishDestroy threat dossier — desktopwallet-installer.online ================================================================ Fetched: 2026-07-02 15:58:08 UTC Canonical: https://phishdestroy.io/domain/desktopwallet-installer.online/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 83/100 (PhishDestroy scoring — see methodology below) Scam classification: cryptocurrency Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: status_split) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 3/93 security vendors flagged this domain Flagging vendors: Fortinet, Gridinsoft, SOCRadar URLQuery: 3 detections Public blocklists: listed on 1 independent blocklist Victim re-reports (public form): 1 ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 216.198.79.65 (US, Walnut) ASN: ASAS16509 AMAZON-02 - Amazon.com, Inc., US Hosting org: AS16509 Amazon.com, Inc. Registrar: NiceNIC International Group Co., Limited !!! REGISTRAR INTEGRITY ALERT — NiceNIC !!! NiceNIC International: over 90% of its registered domains are associated with illegal content; documented systematic abuse-report non-response. Primary sources: https://phishdestroy.io/nicenic-real https://phishdestroy.io/nicenic-verdict Nameservers: ["fiona.ns.cloudflare.com", "rayden.ns.cloudflare.com"] Registered: 2026-02-21 Page title: Bifrost Wallet ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-05-19 Status: INVALID chain Fingerprint: dc78b861061779a7bad5210cb53970ed9f4f14bce7262ab8e18b250986983dad ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-02-21 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-02-25 02:39:27 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-02-20 16:20:24 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-07-02 16:20:38 UTC Neutralised: 2026-03-15 06:14:44 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019c7bd1-bfdd-77c5-8250-efa006b97661/ URLQuery: https://urlquery.net/report/1781f397-3ea5-42d9-ba83-55d2f41beebf Wayback Machine: https://web.archive.org/web/*/desktopwallet-installer.online crt.sh CT logs: https://crt.sh/?q=%25.desktopwallet-installer.online Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=desktopwallet-installer.online AlienVault OTX: https://otx.alienvault.com/indicator/domain/desktopwallet-installer.online URLhaus: https://urlhaus.abuse.ch/host/desktopwallet-installer.online/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-26 19:20:41 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, desktopwallet-installer.online, is flagged as a crypto drainer infrastructure targeting users of the Bifrost Wallet. Analysis indicates the site masquerades as a legitimate wallet installer to execute unauthorized cryptocurrency transfers from victims' wallets. The page title explicitly references Bifrost Wallet, suggesting a targeted phishing campaign designed to exploit users seeking wallet installation or updates. No specific drainer kit has been conclusively identified, but the infrastructure aligns with known crypto-draining attack patterns, including the use of deceptive download prompts and wallet connection requests. Technical indicators reveal the domain was registered on February 21, 2026, through NiceNIC International Group Co., Limited, an uncommon registrar for legitimate wallet services. It resolves to the IP address 216.198.79.1, which has no prior association with Bifrost or verified wallet providers. VirusTotal reports 0 detections out of 95 engines, indicating either evasion techniques or recent deployment. The domain appears on a single security blocklist, while Google Safe Browsing (GSB) status remains unconfirmed. The SSL certificate is issued by Let's Encrypt, a common choice for both legitimate and malicious sites, and the infrastructure employs Vercel hosting with HTTP Strict Transport Security (HSTS) enabled, likely to enhance perceived legitimacy. As of the latest assessment, desktopwallet-installer.online is offline, reducing immediate exposure risk. However, the domain's creation date (future-dated to 2026) and low detection rates suggest it may have been part of a short-lived or highly targeted campaign. Users who interacted with the site should revoke any wallet permissions granted and monitor transaction histories for unauthorized activity. The registrar and hosting provider have not publicly acknowledged takedown requests, leaving the domain's infrastructure intact. Continued monitoring is advised, as reactivation or migration to a new domain remains a plausible threat vector. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260220-33A367 Favicon MD5: 8386040c0b885f63c8a8d1862d1cbc18 TLS cert SHA-256: dc78b861061779a7bad5210cb53970ed9f4f14bce7262ab8e18b250986983dad ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/desktopwallet-installer.online/ JSON API: https://api.destroy.tools/v1/check?domain=desktopwallet-installer.online Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 173,919 domains (14,406 alive under monitoring, 158,785 confirmed takedowns/dead). Site: https://phishdestroy.io