# PhishDestroy threat dossier — emilywilson.site ================================================================ Fetched: 2026-07-02 03:58:32 UTC Canonical: https://phishdestroy.io/domain/emilywilson.site/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 46/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/91 security vendors flagged this domain Flagging vendors: Gridinsoft Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 37.140.192.161 (RU, Moscow) ASN: AS197695 "Domain names registrar REG.RU", Ltd Hosting org: Reg.Ru Registrar: Registrar of Domain Names REG.RU LLC Nameservers: ns1.hosting.reg.ru, ns2.hosting.reg.ru Registered: 2026-04-29 Page title: Emily Crypto Diary | Investor Story ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-07-28 Status: INVALID chain Fingerprint: 30dd885d72c3b15d4d6d1a38ec324ecd3f3a74c4849bc8435f0c74aaf9e2d1a2 Subject Alternative Names (related infrastructure — often same operator): - www.emilywilson.site ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-29 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-28 23:06:30 UTC (by PhishDestroy tracker) First reported: 2026-06-28 21:14:20 UTC (abuse notice filed) Last verified: 2026-07-02 05:47:23 UTC Neutralised: 2026-06-29 00:18:17 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f100c-7f90-70af-a9a8-ec86abe3179b/ URLQuery: https://urlquery.net/report/5c93fa35-ad6c-454d-a35b-f4a557914bcb Wayback Machine: https://web.archive.org/web/*/emilywilson.site crt.sh CT logs: https://crt.sh/?q=%25.emilywilson.site Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=emilywilson.site AlienVault OTX: https://otx.alienvault.com/indicator/domain/emilywilson.site URLhaus: https://urlhaus.abuse.ch/host/emilywilson.site/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-28 23:14:46 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The domain emilywilson.site is suspected of being a generic phishing site and is currently active. There is a high risk level associated with this domain, which appears to impersonate an investor or cryptocurrency brand. The domain is registered through Registrar of Domain Names REG.RU LLC and resolves to the IP address 37.140.192.161. The SSL certificate for the domain is issued by Let's Encrypt, a common certificate authority used by both legitimate and malicious sites. This domain has been flagged by 1 of 95 VirusTotal vendors, indicating a potential threat. The domain was created on April 29, 2026, which is relatively recent and can be a sign of a new phishing campaign. The IP address 37.140.192.161 is hosted in a location that has been associated with other malicious activities. The use of a trusted SSL certificate from Let's Encrypt can make the site appear legitimate, potentially increasing the success rate of the phishing attempt. The minimal blocklist count and low trust scores further suggest that the domain is under scrutiny but not yet widely recognized as malicious. Given the current status and the specific threat indicators, it is recommended that users exercise extreme caution when interacting with emilywilson.site. Security teams should consider adding this domain to their blocklists and monitoring for any related malicious activity. Additionally, conducting further investigation, such as DNS and WHOIS lookups, can provide more insights into the domain's infrastructure and potential connections to known threat actors. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260628-A228C0 Favicon MD5: 504519a087ea4609afb4e5802fce7b1f TLS cert SHA-256: 30dd885d72c3b15d4d6d1a38ec324ecd3f3a74c4849bc8435f0c74aaf9e2d1a2 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/emilywilson.site/ JSON API: https://api.destroy.tools/v1/check?domain=emilywilson.site Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 173,583 domains (13,714 alive under monitoring, 159,163 confirmed takedowns/dead). Site: https://phishdestroy.io