# PhishDestroy threat dossier — donaldandmelania.com
================================================================

Fetched:   2026-06-29 03:11:00 UTC
Canonical: https://phishdestroy.io/domain/donaldandmelania.com/

## VERDICT
----------------------------------------------------------------
ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Generic Phishing
Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: status_split) (score: 1/6)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      2/91 security vendors flagged this domain
  Flagging vendors: SOCRadar
Public blocklists: listed on 3 independent blocklists

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      2a02:26f0:b700:3::210:cc9f (US, Seattle)
ASN:             ASAS20940 AKAMAI-ASN1 Akamai International B.V., NL
Hosting org:     AS16509 Amazon.com, Inc.
Registrar:       GoDaddy.com, LLC
Nameservers:     ns3.afternic.com, ns4.afternic.com
Registered:      2026-01-30
Expires:         2027-01-30
Page title:      donaldandmelania.com is for sale — Get a price in 24 hours | Afternic
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     GoDaddy.com, Inc. / Go Daddy Secure Certificate Authority - G2
Expires:    2026-08-16
Status:     INVALID chain
Fingerprint: f5c8f326e6daef9d880675b26d1647b13e167c2101e57a158da578f6c73cb892

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-01-30 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-06-20 10:07:49 UTC (by PhishDestroy tracker)
First reported:    2026-06-20 08:11:09 UTC (abuse notice filed)
Last verified:     2026-06-29 04:47:09 UTC
Current status:    ACTIVE — cloaked behind HTTP 666 to evade scanners

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019ee412-13a0-76b4-8744-4e513135710d/
URLQuery:         https://urlquery.net/report/6ee6d695-9af6-469c-acee-84eb1e4cba41
Wayback Machine:  https://web.archive.org/web/*/donaldandmelania.com
crt.sh CT logs:   https://crt.sh/?q=%25.donaldandmelania.com
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=donaldandmelania.com
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/donaldandmelania.com
URLhaus:          https://urlhaus.abuse.ch/host/donaldandmelania.com/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-06-23 19:47:14 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

This site, donaldandmelania.com, is a domain parking page, as indicated by the page title "donaldandmelania.com is for sale — Get a price in 24 hours | Afternic." The domain appears to be held for sale, but its specific name referencing political figures suggests potential for impersonation or brand squatting. The threat posed is that the domain could be used for phishing, misinformation, or other malicious activities targeting users interested in the associated individuals.

Technical analysis reveals the domain has 1 detection out of 95 antivirus engines on VirusTotal, flagged by SOCRadar, and appears on 3 blocklists. The domain is registered with GoDaddy.com, LLC, hosted on IP address 2a02:26f0:b700:3::210:cc9f (US) assigned to AS16509 Amazon.com, Inc., and was created on 2026-01-30. The SSL certificate is issued by GoDaddy.com, Inc./Go Daddy Secure Certificate Authority - G2.

The domain status is ACTIVE, with a DOM risk score of 93 out of 100 and a GridinSoft trust rating of 0 out of 100, indicating a high risk. Cloaking (status_split) has been detected, further elevating the threat level. The domain is currently for sale through Afternic, but its high-risk profile warrants caution.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260620-DA49AA
Favicon MD5:       fadb57f9ea13775f2140220fa8295e81
TLS cert SHA-256:      f5c8f326e6daef9d880675b26d1647b13e167c2101e57a158da578f6c73cb892

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/donaldandmelania.com/
JSON API:          https://api.destroy.tools/v1/check?domain=donaldandmelania.com
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 172,271 domains (14,874 alive under monitoring, 156,851 confirmed takedowns/dead). Site: https://phishdestroy.io