# PhishDestroy threat dossier — dixian.io ================================================================ Fetched: 2026-05-20 18:20:09 UTC Canonical: https://phishdestroy.io/domain/dixian.io/ ## VERDICT ---------------------------------------------------------------- HIGH THREAT — malicious activity confirmed Composite threat score: 65/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/92 security vendors flagged this domain ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 104.21.40.222 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: HOSTINGER operations, UAB Nameservers: james.ns.cloudflare.com, meiling.ns.cloudflare.com Registered: 2026-05-17 Page title: DIXIAN.IO / 地仙觀 HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-08-15 Status: INVALID chain Fingerprint: 40c6c67d77e032ab7d3d45dbbca01e1a90c0181f3aec1a5b0aeebadc4bb0ab84 Subject Alternative Names (related infrastructure — often same operator): - www.dixian.io ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-17 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-18 21:28:54 UTC (by PhishDestroy tracker) Last verified: 2026-05-20 19:45:12 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e3c58-571e-70aa-96aa-5f51e162d78c/ Wayback Machine: https://web.archive.org/web/*/dixian.io crt.sh CT logs: https://crt.sh/?q=%25.dixian.io Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=dixian.io AlienVault OTX: https://otx.alienvault.com/indicator/domain/dixian.io URLhaus: https://urlhaus.abuse.ch/host/dixian.io/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-18 21:29:51 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies dixian.io as an active generic credential phishing domain under investigation for mimicking legitimate services to steal user login details. This domain employs a drainer kit designed to trick victims into submitting sensitive authentication data, potentially enabling follow-on attacks against compromised accounts. The infrastructure aligns with known tactics used by financially motivated threat actors to rapidly deploy fraudulent portals before security tools can flag them. dixian.io was registered through HOSTINGER operations, UAB on May 17, 2026 and resolves to IP address 104.21.40.222. VirusTotal currently shows 0/95 detections and the domain holds a valid SSL certificate issued by Google Trust Services. Google Safe Browsing has not flagged the domain as malicious at this time, and no public blocklists include it yet. These indicators suggest the domain is in its early operational phase, leveraging recently registered domains and trusted certificate authorities to evade detection. The domain remains active despite its low detection coverage, indicating a brief window of opportunity for threat actors to exploit unaware users. Security teams should monitor for hostnames resolving to the associated IP and consider preemptive blocking. While the immediate risk is still under assessment, proactive countermeasures are recommended due to the domain’s affiliation with known phishing frameworks. Continued observation is necessary as threat intelligence evolves and additional indicators emerge. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 957134da58963d7958f4942b1038ea61 TLS cert SHA-256: 40c6c67d77e032ab7d3d45dbbca01e1a90c0181f3aec1a5b0aeebadc4bb0ab84 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/dixian.io/ JSON API: https://api.destroy.tools/v1/check?domain=dixian.io Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 152,122 domains (43,327 alive under monitoring, 108,508 confirmed takedowns/dead). Site: https://phishdestroy.io