# PhishDestroy threat dossier — dpdsuivicolisschweiz.vercel.app ================================================================ Fetched: 2026-07-13 04:41:31 UTC Canonical: https://phishdestroy.io/domain/dpdsuivicolisschweiz.vercel.app/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Brand Impersonation Targeted brand: Sui Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_split) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 15/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, BitDefender, CyRadar, ESET, Fortinet, G-Data, Google Safebrowsing, Gridinsoft, Kaspersky, LevelBlue, MalwareURL, Mimecast, OpenPhish, Sophos, Webroot Public blocklists: listed on 1 independent blocklist Google Safe Browsing: FLAGGED ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 64.29.17.67 (US, Walnut) ASN: ASAS16509 AMAZON-02 - Amazon.com, Inc., US Hosting org: AS16509 Amazon.com, Inc. Registrar: Vercel Inc. Nameservers: NS_NOT_FOUND Registered: 2026-06-25 Page title: Service des colis suisse | DPD Suisse HTTP response: 404 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WR1 Expires: 2026-07-27 Status: INVALID chain Fingerprint: f832dfb2653761e8b0001dbaf84eab20667c9bfb0520700547d3b3bf548143aa Subject Alternative Names (related infrastructure — often same operator): - vercel.app ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-25 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-24 12:31:09 UTC — PREDATES WHOIS; likely from a prior registration of the same name (dropped-domain re-registration) Last verified: 2026-07-13 04:20:41 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019ef92d-b77f-729c-9c36-d5a093670dee/ Wayback Machine: https://web.archive.org/web/*/dpdsuivicolisschweiz.vercel.app crt.sh CT logs: https://crt.sh/?q=%25.dpdsuivicolisschweiz.vercel.app Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=dpdsuivicolisschweiz.vercel.app AlienVault OTX: https://otx.alienvault.com/indicator/domain/dpdsuivicolisschweiz.vercel.app URLhaus: https://urlhaus.abuse.ch/host/dpdsuivicolisschweiz.vercel.app/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-07 21:44:11 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, dpdsuivicolisschweiz.vercel.app, is identified as a high-risk brand impersonation threat targeting the Sui cryptocurrency ecosystem. Analysis indicates the domain is designed to deceive users into believing it is an official Sui-related service, likely for the purpose of credential harvesting, unauthorized fund transfers, or deployment of malicious smart contracts. The domain employs social engineering tactics, including visual mimicry of legitimate Sui interfaces, to exploit users familiar with the brand. Infrastructure analysis reveals the following technical indicators: the domain is flagged by 15 out of 95 security vendors on VirusTotal, indicating a consensus on its malicious nature. It is registered through Vercel Inc. and resolves to the IP address 216.198.79.131, hosted on Amazon.com, Inc. infrastructure (AS16509) in the United States. The domain appears on one security blocklist and is explicitly labeled as phishing by Google Safe Browsing. The SSL certificate is issued by Google Trust Services under the WR1 intermediate, a common certificate authority for both legitimate and malicious domains, which does not mitigate the risk. No specific creation date is provided, but the domain remains actively hosted and unresolved in passive DNS records. Current status confirms the domain is still active and operational, posing an ongoing risk to users. Response actions include its inclusion on at least one security blocklist and detection by endpoint protection systems, though evasion techniques may limit coverage. The remaining risk is classified as high due to the domain's active status, brand impersonation of a high-value cryptocurrency target, and the potential for financial loss or account compromise. Users are advised to block the domain at the network level, avoid interacting with any communications or links associated with it, and verify all Sui-related services through official channels only. Organizations should update detection rules to include the domain and its resolving IP as indicators of compromise. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 64b25a88e96ab50948939fb7286240f8 TLS cert SHA-256: f832dfb2653761e8b0001dbaf84eab20667c9bfb0520700547d3b3bf548143aa ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/dpdsuivicolisschweiz.vercel.app/ JSON API: https://api.destroy.tools/v1/check?domain=dpdsuivicolisschweiz.vercel.app Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,009 domains (49,743 alive under monitoring, 128,266 confirmed takedowns/dead). Site: https://phishdestroy.io