# PhishDestroy threat dossier — eth-cowswap.click
================================================================

Fetched:   2026-06-21 02:51:14 UTC
Canonical: https://phishdestroy.io/domain/eth-cowswap.click/

## VERDICT
----------------------------------------------------------------
TAKEN DOWN (neutralised)
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      5/91 security vendors flagged this domain
  Flagging vendors: alphaMountain.ai, Forcepoint ThreatSeeker, Fortinet, Gridinsoft, SOCRadar
AlienVault OTX:  2 pulses (threat-intel feed mentions)
Public blocklists: listed on 3 independent blocklists

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      130.12.180.128
Registrar:       Dynadot, LLC
Nameservers:     ["ns1.dyna-ns.net", "ns2.dyna-ns.net"]
Registered:      2026-06-13

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     none
Status:     INVALID chain

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: CLOSED — no report required.
This domain was neutralised before the abuse-report cycle could be dispatched — either
the hosting provider / registrar suspended it on their own, the DNS went dead, or the
operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file
for audit but no formal notice was sent.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-06-13 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-06-13 07:50:03 UTC (by PhishDestroy tracker)
First reported:    2026-06-13 07:48:44 UTC (abuse notice filed)
Last verified:     2026-06-21 04:20:34 UTC
Neutralised:       2026-06-13 08:16:36 UTC
Current status:    taken down (registrar suspended or DNS dead)

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-06-13 09:38:49 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies eth-cowswap.click as a crypto drainer phishing domain designed to steal cryptocurrency assets from unsuspecting users. This domain mimics the legitimate CowSwap decentralized exchange platform, tricking victims into connecting their digital wallets under false pretenses. Once connected, malicious smart contracts deployed through the site automatically drain funds from the victim’s wallet without authorization, often targeting Ethereum and ERC-20 tokens. The threat is particularly insidious because it exploits the trust users place in familiar DeFi interfaces while operating silently in the background.  Technical analysis reveals that eth-cowswap.click currently shows 0 detections out of 95 security engines on VirusTotal, indicating it has not yet been widely flagged by major antivirus or anti-phishing vendors. The domain resolves to the IP address 130.12.180.128, which may host additional malicious infrastructure. While the domain has been taken offline, its prior activity and lack of prior detection highlight the evolving nature of crypto-focused phishing threats. The registrar and creation date remain undisclosed in public records, but the absence of blocklist entries further underscores the domain’s ability to evade initial scrutiny.  Users who visited eth-cowswap.click or connected their wallets to the site should take immediate action to secure their assets. First, revoke any suspicious smart contract approvals using a tool like Etherscan’s token approval checker or Revoke.cash. Next, transfer remaining funds to a new, secure wallet and monitor transaction history for unauthorized activity. Enable hardware wallet protection and multi-factor authentication where possible. If assets were stolen, report the incident to local cybercrime authorities and platforms like Chainabuse to aid in tracking the attackers. Always verify domain authenticity before interacting with DeFi platforms, and consider using browser extensions that block known phishing sites.

## EVIDENCE HASHES
----------------------------------------------------------------
Favicon MD5:       0f98b704c93538fcb68377c679051b5a

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/eth-cowswap.click/
JSON API:          https://api.destroy.tools/v1/check?domain=eth-cowswap.click
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 167,129 domains (16,052 alive under monitoring, 150,759 confirmed takedowns/dead). Site: https://phishdestroy.io