# PhishDestroy threat dossier — dydx.xyz-app.sbs ================================================================ Fetched: 2026-07-13 04:48:46 UTC Canonical: https://phishdestroy.io/domain/dydx.xyz-app.sbs/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 86/100 (PhishDestroy scoring — see methodology below) Targeted brand: dYdX Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 4/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, LevelBlue, SOCRadar, Webroot Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.97.3 (US, San Francisco) ASN: ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US Hosting org: AS13335 Cloudflare, Inc. Registrar: Hosting Concepts B.V. d/b/a Registrar.eu Nameservers: kipp.ns.cloudflare.com, paislee.ns.cloudflare.com Registered: 2026-06-07 Expires: 2027-06-07 Page title: dYdX: DeFi's Pro Trading Platform HTTP response: 404 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-07 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-06 22:40:24 UTC (by PhishDestroy tracker) Last verified: 2026-07-13 04:20:41 UTC Neutralised: 2026-07-09 04:19:48 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f3928-3dea-70c0-a303-516730470824/ Wayback Machine: https://web.archive.org/web/*/dydx.xyz-app.sbs crt.sh CT logs: https://crt.sh/?q=%25.dydx.xyz-app.sbs Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=dydx.xyz-app.sbs AlienVault OTX: https://otx.alienvault.com/indicator/domain/dydx.xyz-app.sbs URLhaus: https://urlhaus.abuse.ch/host/dydx.xyz-app.sbs/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-06 22:45:21 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, dydx.xyz-app.sbs, poses a direct threat as a crypto drainer phishing site targeting users of the dYdX decentralized exchange. Analysis indicates the infrastructure is designed to harvest wallet credentials and execute unauthorized token transfers, a tactic commonly associated with cryptocurrency theft. The site mimics legitimate dYdX interfaces, including login portals and transaction prompts, to deceive victims into disclosing sensitive information or signing malicious smart contracts. Evidence supporting this assessment includes detection by 3 out of 95 security vendors on VirusTotal, a low but indicative signal of malicious activity. The domain was registered on June 7, 2026, through Hosting Concepts B.V. d/b/a Registrar.eu, a registrar frequently observed in phishing campaigns due to its permissive registration policies. Infrastructure analysis reveals the domain resolves to the IP address 188.114.96.3, which has no prior association with legitimate dYdX services. The SSL certificate, issued by Google Trust Services, provides a false sense of security while failing to validate the site's authenticity. Users who have interacted with dydx.xyz-app.sbs should immediately revoke any wallet permissions granted to the site, transfer assets to a new wallet, and monitor transaction histories for unauthorized activity. Browser caches and stored credentials should be cleared to prevent persistent access. If financial loss has occurred, victims are advised to report the incident to relevant blockchain analysis platforms and law enforcement agencies with jurisdiction over cybercrime. This domain remains active and should be blocked at the network level to prevent further compromise. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 8ed5d00061d1435e0b3a237d2a8b8633 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/dydx.xyz-app.sbs/ JSON API: https://api.destroy.tools/v1/check?domain=dydx.xyz-app.sbs Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,009 domains (49,743 alive under monitoring, 128,266 confirmed takedowns/dead). Site: https://phishdestroy.io