# PhishDestroy threat dossier — en-us-upheld.created.app ================================================================ Fetched: 2026-07-18 13:12:27 UTC Canonical: https://phishdestroy.io/domain/en-us-upheld.created.app/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 9/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, Google Safebrowsing, Kaspersky, SOCRadar, Webroot URLQuery: 2 detections Public blocklists: listed on 3 independent blocklists Google Safe Browsing: FLAGGED ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 216.150.1.129 (US, Walnut) ASN: AS16509 Amazon.com, Inc. Hosting org: Vercel, Inc Registrar: Name.com, Inc. Nameservers: ["ns1.vercel-dns.com", "ns2.vercel-dns.com"] Page title: Trade Digital Assets HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR2 Expires: 2026-09-29 Status: INVALID chain Fingerprint: 2c01f2d2d2586ccbd99eb3ef460c9285ba54a55cea9f9f0d693afd9b63d9595f ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-07-12 13:17:38 UTC (by PhishDestroy tracker) First reported: 2026-07-12 18:26:21 UTC (abuse notice filed) Last verified: 2026-07-18 14:48:04 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f560b-a0d4-71bf-a1ea-165fca5d7248/ URLQuery: https://urlquery.net/report/a2713bbd-c2bb-4959-9f59-e6cdde741ec7 Wayback Machine: https://web.archive.org/web/*/en-us-upheld.created.app crt.sh CT logs: https://crt.sh/?q=%25.en-us-upheld.created.app Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=en-us-upheld.created.app AlienVault OTX: https://otx.alienvault.com/indicator/domain/en-us-upheld.created.app URLhaus: https://urlhaus.abuse.ch/host/en-us-upheld.created.app/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-12 17:19:25 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] en-us-upheld.created.app: Confirmed Phishing Site The domain en-us-upheld.created.app is currently active and serves a page titled “Trade Digital Assets”. Google Safe Browsing has classified the URL under the SOCIAL_ENGINEERING category, indicating a high‑confidence indication of credential‑stealing behavior. The site returns HTTP 200, confirming that the content is being served as expected. Network analysis shows the domain resolves to the IPv4 address 216.150.1.129, which is owned by a US‑based infrastructure provider known for cloud hosting services. The TLS certificate is issued by Let’s Encrypt and is valid for the current year, suggesting the operators have maintained a legitimate‑looking HTTPS surface. Technology fingerprinting identifies a stack comprising Node.js, React, Next.js, and a content delivery network backed by the same cloud provider, together with feature flagging services and HSTS enforcement. Reputation services reinforce the malicious assessment: Google Safe Browsing flags the site for social engineering, and VirusTotal reports that five out of ninety‑five scanners have identified the domain as malicious. The domain appears on three independent security blocklists and is actively blocked by PhishDestroy, MetaMask, and SEAL, indicating that multiple downstream protection platforms have observed abusive activity. Nameserver information could not be retrieved, which may reflect a deliberate attempt to obscure DNS configuration. Defenders should treat en-us-upheld.created.app as a high‑risk indicator and add it to deny lists across perimeter firewalls, DNS filtering, and endpoint protection solutions. Monitoring for new subdomains under the created.app namespace is advisable, as the observed pattern suggests the infrastructure could be reused for further credential‑harvesting campaigns. Incident response teams should also consider sinkholing traffic to the resolved IP address to disrupt the command‑and‑control flow and to gather additional telemetry on potential victims. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260712-294F02 TLS cert SHA-256: 2c01f2d2d2586ccbd99eb3ef460c9285ba54a55cea9f9f0d693afd9b63d9595f ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/en-us-upheld.created.app/ JSON API: https://api.destroy.tools/v1/check?domain=en-us-upheld.created.app Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 179,952 domains (51,350 alive under monitoring, 128,602 confirmed takedowns/dead). Site: https://phishdestroy.io