# PhishDestroy threat dossier — dhedge.finance ================================================================ Fetched: 2026-07-02 15:10:51 UTC Canonical: https://phishdestroy.io/domain/dhedge.finance/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 95/100 (PhishDestroy scoring — see methodology below) Scam classification: Credential Phishing ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 4/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, Forcepoint ThreatSeeker, Gridinsoft, SOCRadar Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.96.3 (US, San Jose) ASN: ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US Hosting org: AS16509 Amazon.com, Inc. Registrar: Dynadot Inc Nameservers: ns1.dyna-ns.net, ns2.dyna-ns.net Registered: 2025-12-06 Expires: 2026-12-06 Page title: Web3 Connect Demo HTTP response: 403 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR2 Expires: 2026-09-16 Status: INVALID chain Fingerprint: 9d2e828a3fb9aa9f582063cdda23fbea1c8d85068d8c42ef93c6c80d29baf95d ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2025-12-06 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-18 19:23:47 UTC (by PhishDestroy tracker) First reported: 2026-06-18 17:25:45 UTC (abuse notice filed) Last verified: 2026-07-02 16:47:17 UTC Neutralised: 2026-06-19 00:04:48 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019edbc1-c445-707a-a659-3f5f61edf844/ URLQuery: https://urlquery.net/report/0654a124-348a-4de6-9d54-603fedc4f7b3 Wayback Machine: https://web.archive.org/web/*/dhedge.finance crt.sh CT logs: https://crt.sh/?q=%25.dhedge.finance Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=dhedge.finance AlienVault OTX: https://otx.alienvault.com/indicator/domain/dhedge.finance URLhaus: https://urlhaus.abuse.ch/host/dhedge.finance/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-25 15:31:26 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] Analysis indicates dhedge.finance presents a high-risk fake login phishing profile. The active site currently displays the title "Web3 Connect Demo," a theme commonly associated with credential harvesting and wallet-authentication lures. Given the reported phishing classification and active operational status, the domain should be treated as a potential collection point for authentication data, account access tokens, or other sensitive user inputs. The combination of a login-oriented presentation and phishing intelligence elevates the likelihood of user-targeted credential theft. Infrastructure analysis reveals that the domain remains active and resolves to IP address 188.114.96.3. The hosting infrastructure is geolocated in the United States under AS16509 Amazon.com, Inc. Registration records indicate the domain was created on December 06, 2025 and registered through Dynadot Inc. The observed SSL certificate is issued by Let's Encrypt with certificate identifier YR2. Security intelligence shows the domain appears on 1 security blocklist and has been blocked by PhishDestroy. Detection telemetry records 4 of 95 security vendors flagging the domain. These indicators do not independently confirm malicious behavior, but when combined with the phishing classification, active status, login-themed content, recent registration date, and blocklist presence, they contribute to an elevated risk assessment. Mitigation guidance should focus on fake login phishing exposure. Users should avoid entering credentials, authentication codes, recovery phrases, wallet connection approvals, or other sensitive information through this domain. Organizations should implement network-level blocking, monitor for outbound connections to dhedge.finance, review authentication logs for unusual activity, and investigate any prior user interaction with the site. Security teams should collect DNS, certificate, and hosting telemetry for ongoing monitoring and maintain detection rules covering the domain, IP address 188.114.96.3, and related indicators. Any accounts potentially exposed through interaction with the site should undergo credential rotation and enhanced authentication review. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260618-DF7984 Favicon MD5: b8a0bf372c762e966cc99ede8682bc71 TLS cert SHA-256: 9d2e828a3fb9aa9f582063cdda23fbea1c8d85068d8c42ef93c6c80d29baf95d ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/dhedge.finance/ JSON API: https://api.destroy.tools/v1/check?domain=dhedge.finance Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 173,905 domains (14,397 alive under monitoring, 158,784 confirmed takedowns/dead). Site: https://phishdestroy.io