# PhishDestroy threat dossier — epiclasix100.com ================================================================ Fetched: 2026-04-21 21:25:28 UTC Canonical: https://phishdestroy.io/domain/epiclasix100.com/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/95 security vendors flagged this domain URLQuery: 2 detections ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.67.197.124 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: Fewmoretaps OU d/b/a Trustname.com !!! REGISTRAR INTEGRITY ALERT — Trustname / Fewmoretaps OU !!! Trustname (IANA #4318) is a shell company declaring EUR 120 annual revenue, 1 employee, negative equity, Belarusian ownership. Explicitly advertises itself as 'bulletproof' in its DNS TXT records. Primary source: https://phishdestroy.io/trustname-bulletproof-exposed Nameservers: nelci.ns.cloudflare.com, nick.ns.cloudflare.com Registered: 2026-03-22 Page title: Domine o Trading em Tempo Real – Epic Lasix 100 HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E7 Expires: 2026-06-20 Status: INVALID chain Fingerprint: 72338f99da91c10f85e5f3f83023702a4201d526eac276af72ef29309fb291eb ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-03-22 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-21 06:53:18 UTC (by PhishDestroy tracker) First reported: 2026-04-21 03:56:05 UTC (abuse notice filed) Last verified: 2026-04-21 23:03:22 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dae29-e402-7756-bcb8-62691dbd212b/ URLQuery: https://urlquery.net/report/4b547c24-7cad-4732-87e7-8f9849712504 Wayback Machine: https://web.archive.org/web/*/epiclasix100.com crt.sh CT logs: https://crt.sh/?q=%25.epiclasix100.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=epiclasix100.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/epiclasix100.com URLhaus: https://urlhaus.abuse.ch/host/epiclasix100.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-21 06:55:48 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies epiclasix100.com as an active crypto drainer phishing domain currently under investigation. The threat involves malicious scripts designed to drain cryptocurrency wallets upon user interaction. The domain poses a high risk due to its active status, lack of prior detections, and infrastructure designed for fraudulent activity. Users are strongly advised to avoid engagement and verify the domain through PhishDestroy's real-time threat intelligence system. This domain was flagged with a risk level marked as under_investigation, with a specific threat type of generic_phishing. Technical indicators include a VirusTotal detection score of 0 out of 95, indicating no current antivirus or security vendor flagging despite its malicious intent. The domain resolves to IP address 172.67.197.124, which is associated with Cloudflare infrastructure, potentially used to obfuscate the true origin of the server. Additionally, the domain was registered through Fewmoretaps OU d/b/a Trustname.com, a registrar known for anonymizing domain ownership details, further complicating attribution. The domain was created on March 22, 2026, suggesting it is a recently deployed threat designed to exploit unsuspecting victims before widespread detection occurs. There are no known blocklist entries or trust score reductions at this time, likely due to its recency. Mitigation steps for this crypto drainer threat are critical to prevent financial loss. Users should immediately cease all interactions with epiclasix100.com, including refraining from visiting the site, downloading files, or entering any credentials or wallet addresses. Cryptocurrency holders should verify all transaction approvals and revoke any suspicious smart contract permissions via tools like Etherscan or Revoke.cash to prevent unauthorized fund transfers. Security researchers and users can submit this domain to PhishDestroy for further analysis and community-wide protection. Organizations should update firewall and DNS filtering rules to block access to this domain and its associated IP address. Continuous monitoring of wallet addresses linked to this domain is recommended, as crypto drainers often reuse addresses for tracking victim activities. Proactive threat intelligence sharing within cybersecurity communities will aid in faster detection and mitigation of similar threats. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260421-3BD130 Favicon MD5: bc8411faab752e400feac4b8ab645d57 TLS cert SHA-256: 72338f99da91c10f85e5f3f83023702a4201d526eac276af72ef29309fb291eb ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/epiclasix100.com/ JSON API: https://api.destroy.tools/v1/check?domain=epiclasix100.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io