# PhishDestroy threat dossier — doppler.finance.ski
================================================================

Fetched:   2026-06-26 03:23:16 UTC
Canonical: https://phishdestroy.io/domain/doppler.finance.ski/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      15/91 security vendors flagged this domain
  Flagging vendors: alphaMountain.ai, BitDefender, CRDF, CyRadar, ESET, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, Lionic, SOCRadar, Sophos, VIPRE, Webroot
Public blocklists: listed on 1 independent blocklist

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      188.114.96.3 (US, San Francisco)
ASN:             ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US
Hosting org:     AS13335 Cloudflare, Inc.
Registrar:       GNAME.COM PTE. LTD.
Nameservers:     ["curt.ns.cloudflare.com", "macy.ns.cloudflare.com"]
Page title:      Doppler Finance
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / YE2
Expires:    2026-08-31
Status:     INVALID chain
Fingerprint: cfe243df200a8421f3839b2a940ac3400953a94920cf36b5653e2168d1b4e0d5
Subject Alternative Names (related infrastructure — often same operator):
  - finance.ski

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
First detected:    2026-06-17 16:31:31 UTC (by PhishDestroy tracker)
Last verified:     2026-06-26 04:20:34 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019ed5fd-ceee-746e-a645-688c6a867328/
Wayback Machine:  https://web.archive.org/web/*/doppler.finance.ski
crt.sh CT logs:   https://crt.sh/?q=%25.doppler.finance.ski
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=doppler.finance.ski
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/doppler.finance.ski
URLhaus:          https://urlhaus.abuse.ch/host/doppler.finance.ski/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-06-25 20:22:16 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

The domain doppler.finance.ski is currently flagged as an active cryptocurrency wallet phishing site impersonating Doppler Finance, a decentralized finance platform. Analysis indicates the domain is designed to deceive users into disclosing wallet credentials or transferring digital assets under false pretenses. The site remains operational and exhibits elevated risk characteristics, including recent registration and confirmed malicious activity targeting financial services users.  Infrastructure analysis reveals the domain is registered through GNAME.COM PTE. LTD. and resolves to the IP address 188.114.96.3, which is associated with content delivery networks commonly exploited for phishing operations. The site employs a Let's Encrypt SSL certificate to present a false sense of legitimacy, while detection metrics confirm its malicious nature: 15 of 95 security vendors on VirusTotal have flagged the domain as phishing-related. Additionally, the domain appears on one security blocklist and is actively blocked by at least one threat intelligence feed. Technologies detected include Cloudflare and HTTP/3, which are frequently leveraged to obfuscate malicious infrastructure and evade detection.  Current assessment indicates the domain remains a credible threat to users of decentralized finance platforms. Organizations and individuals are advised to implement immediate countermeasures, including blocking the domain and its resolving IP at the network perimeter, updating endpoint protection rules to include this indicator of compromise, and alerting users to the presence of this phishing campaign. Given the domain's active status and confirmed malicious intent, continuous monitoring for related infrastructure and secondary attack vectors is recommended. Users who may have interacted with the site should revoke any connected wallet permissions and monitor accounts for unauthorized transactions.

## EVIDENCE HASHES
----------------------------------------------------------------
Favicon MD5:       72dc28498c279df3afe7deecbce7bd44
TLS cert SHA-256:      cfe243df200a8421f3839b2a940ac3400953a94920cf36b5653e2168d1b4e0d5

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/doppler.finance.ski/
JSON API:          https://api.destroy.tools/v1/check?domain=doppler.finance.ski
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 170,049 domains (12,246 alive under monitoring, 157,244 confirmed takedowns/dead). Site: https://phishdestroy.io