# PhishDestroy threat dossier — ethereum-to-monero.exchange
================================================================

Fetched:   2026-04-21 11:57:59 UTC
Canonical: https://phishdestroy.io/domain/ethereum-to-monero.exchange/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 97/100 (PhishDestroy scoring — see methodology below)
Scam classification: Fake Exchange
Targeted brand: Ethereum

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      5/95 security vendors flagged this domain
  Flagging vendors: ChainPatrol, alphaMountain.ai, CyRadar, Fortinet, Seclookup
URLQuery:        2 detections

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      213.111.150.143
Registrar:       NICENIC INTERNATIONAL GROUP CO., LIMITED

!!! REGISTRAR INTEGRITY ALERT — NiceNIC !!!
NiceNIC International: over 90% of its registered domains are associated with
illegal content; documented systematic abuse-report non-response. Primary sources:
  https://phishdestroy.io/nicenic-real
  https://phishdestroy.io/nicenic-verdict

Nameservers:     ["ns1.zomro.net", "ns2.zomro.ru"]
Registered:      2026-04-21
Page title:      Ethereum to Monero No KYC - Anonymous ETH to XMR Exchange
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / R12
Expires:    2026-06-10
Status:     INVALID chain
Fingerprint: f070bd1ef924a3b7328b6de1a60fc826b16ce8c735e721ef4d005b096805bc98
Subject Alternative Names (related infrastructure — often same operator):
  - www.ethereum-to-monero.exchange

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-21 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-21 11:56:32 UTC (by PhishDestroy tracker)
Earliest abuse rec: 2026-04-21 09:07:38 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name
Last verified:     2026-04-21 13:50:07 UTC
Current status:    ACTIVE / observable

Note: one or more events above predate the WHOIS creation date. This typically means
the same domain name was previously registered, detected, dropped, and then re-registered
by a new party. PhishDestroy preserves the full historical record for operator-attribution
research even when the underlying infrastructure changes hands.

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019daf40-a4f7-737a-975f-b710be188dd9/
URLQuery:         https://urlquery.net/report/7e2b4c13-86cd-4da6-85dc-51b4d7acd21c
Wayback Machine:  https://web.archive.org/web/*/ethereum-to-monero.exchange
crt.sh CT logs:   https://crt.sh/?q=%25.ethereum-to-monero.exchange
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=ethereum-to-monero.exchange
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/ethereum-to-monero.exchange
URLhaus:          https://urlhaus.abuse.ch/host/ethereum-to-monero.exchange/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-21 11:57:02 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

The domain ethereum-to-monero.exchange is identified as an active crypto drainer threat, specifically targeting cryptocurrency users by impersonating a currency exchange service between Ethereum and Monero. This malicious domain aims to steal funds by draining victims' crypto wallets through fraudulent means.

According to VirusTotal data, ethereum-to-monero.exchange is flagged by 5 out of 95 security vendors, indicating a recognized threat presence. The domain uses a Let's Encrypt SSL certificate, adding a deceptive layer of trust. It resolves to the IP address 213.111.150.143. Although the creation date and registrar details are not provided, the domain's elevated risk level and active status warrant caution. The relatively low detection rate suggests this threat may not yet be widely recognized by all security tools.

Currently marked as active, ethereum-to-monero.exchange should be blocked and avoided by users, especially those engaged in cryptocurrency transactions. Security teams are advised to monitor this domain closely and update blocklists accordingly. Users must refrain from visiting or submitting any credentials or wallet information on this site to prevent financial loss due to crypto draining attempts.

[Updates since narrative was generated:]
  - WHOIS creation date: 2026-04-21

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260421-CBBEFC
Favicon MD5:       9a27c980152ec8336958e1ff755a8fc3
TLS cert SHA-256:      f070bd1ef924a3b7328b6de1a60fc826b16ce8c735e721ef4d005b096805bc98

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/ethereum-to-monero.exchange/
JSON API:          https://api.destroy.tools/v1/check?domain=ethereum-to-monero.exchange
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io