# PhishDestroy threat dossier — exedusweb3-faq.pages.dev
================================================================

Fetched:   2026-04-22 13:00:24 UTC
Canonical: https://phishdestroy.io/domain/exedusweb3-faq.pages.dev/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Exodus

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      7/94 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, BitDefender, ESET, Fortinet, G-Data, Kaspersky, Sophos

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      172.66.45.39 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     Cloudflare, Inc.
Registrar:       Cloudflare, Inc.
Nameservers:     archer.ns.cloudflare.com, cruz.ns.cloudflare.com
Registered:      2026-04-20
Page title:      Exodus Web3 Wallet — Presentation
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WE1
Expires:    2026-07-18
Status:     INVALID chain
Fingerprint: b76c5c2c9ad7c36991bd0adb25f20f39c51171ccfcbe9adae040fc909669c25d

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-20 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-20 14:02:14 UTC (by PhishDestroy tracker)
Last verified:     2026-04-22 13:41:07 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019daa8d-00dd-70ef-8e76-40c7f6b640b0/
Wayback Machine:  https://web.archive.org/web/*/exedusweb3-faq.pages.dev
crt.sh CT logs:   https://crt.sh/?q=%25.exedusweb3-faq.pages.dev
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=exedusweb3-faq.pages.dev
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/exedusweb3-faq.pages.dev
URLhaus:          https://urlhaus.abuse.ch/host/exedusweb3-faq.pages.dev/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-20 14:03:40 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy has flagged the active domain exedusweb3-faq.pages.dev as a generic phishing page that is currently hosting a crypto drainer designed to empty cryptocurrency wallets. This threat is delivered through a deceptive FAQ page that impersonates a legitimate Web3 project, luring victims into connecting their wallets under the guise of troubleshooting or support. Once connected, the drainer silently approves malicious token transfers or drains NFTs without the victim’s consent, exploiting the common trust users place in FAQ and help-center links. The domain’s infrastructure is hosted on Cloudflare Pages, leveraging IP 172.66.45.39, which resolves to the Google Trust Services SSL certificate, making the page appear more credible at a glance.  

This domain was flagged with minimal detection on VirusTotal, currently showing 0 out of 95 engines flagging it, indicating that signature-based defenses have not yet caught up to this threat. Registered through Cloudflare, Inc., the domain is hosted on a shared infrastructure environment commonly abused by threat actors for short-lived phishing campaigns. At present, this domain has not been widely listed on public blocklists, increasing the risk of exposure to unsuspecting users who may encounter it via misleading advertisements, search results, or social media links. With no current detections, this is a classic case of a zero-day phishing threat that relies on speed and deception to bypass security controls.  

Users who have visited exedusweb3-faq.pages.dev or entered any wallet credentials, approved transactions, or connected their wallet should immediately revoke any unauthorized permissions using tools like revoke.cash or Etherscan’s token approval checker. Disconnect the wallet from all dApps via wallet settings and scan for suspicious transactions. Consider transferring remaining funds to a newly generated wallet with a strong seed phrase. Report the domain to PhishDestroy and your wallet provider, and monitor for unauthorized transfers. Always verify support links by navigating directly to the official project website and avoid clicking on FAQ or help links from untrusted sources. Stay vigilant against similar Web3-themed phishing campaigns by using real-time threat intelligence platforms like PhishDestroy to validate domains before interaction.

## EVIDENCE HASHES
----------------------------------------------------------------
TLS cert SHA-256:      b76c5c2c9ad7c36991bd0adb25f20f39c51171ccfcbe9adae040fc909669c25d

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/exedusweb3-faq.pages.dev/
JSON API:          https://api.destroy.tools/v1/check?domain=exedusweb3-faq.pages.dev
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io