# PhishDestroy threat dossier — ff-app.org ================================================================ Fetched: 2026-06-07 14:57:31 UTC Canonical: https://phishdestroy.io/domain/ff-app.org/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 91/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 3/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, Ermes, Gridinsoft Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 176.125.242.151 (MD, Chisinau) ASN: AS200019 ALEXHOST SRL Hosting org: Alexhost SRL Registrar: Dynadot Inc Nameservers: ["ns1.dyna-ns.net", "ns2.dyna-ns.net"] Registered: 2026-04-26 Page title: FixedFloat: Swap Your Crypto Easily ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-06-13 Status: INVALID chain Fingerprint: 23655ff784da8be9b2d023ff11eb8a80889fae0fd96627489d20e45d5625431f Subject Alternative Names (related infrastructure — often same operator): - www.ff-app.org ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-26 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-26 16:59:21 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-04-26 14:00:53 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-06-07 16:01:45 UTC Neutralised: 2026-06-06 17:34:47 UTC Current status: taken down (registrar suspended or DNS dead) Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dca15-665f-725c-b3f0-17a8698c2cb1/ URLQuery: https://urlquery.net/report/379706ae-c88e-4105-9484-5b1be0542c9f Wayback Machine: https://web.archive.org/web/*/ff-app.org crt.sh CT logs: https://crt.sh/?q=%25.ff-app.org Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=ff-app.org AlienVault OTX: https://otx.alienvault.com/indicator/domain/ff-app.org URLhaus: https://urlhaus.abuse.ch/host/ff-app.org/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-26 17:00:02 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies ff-app.org as a newly active generic phishing domain leveraging a fake app lure to harvest credentials and payment data. The domain impersonates a legitimate application service without association to any known brand, suggesting opportunistic credential phishing. No drainer kit artifacts (e.g., MetaMask, wallet drainers) are visible in open-source intelligence, indicating a simpler but effective social-engineering approach focused on account takeover and financial theft. The domain was registered through Dynadot LLC on March 03, 2026, and is currently resolving to IP 176.125.242.151. It holds a valid Let's Encrypt SSL certificate, which is commonly abused to build trust in phishing lures. As of this report, VirusTotal shows 0/95 detection engines flagging the domain, and Google Safe Browsing has not yet blacklisted it. The domain has no public blocklist entries, indicating low prior detection coverage. This domain presents an elevated risk due to its recent creation, clean reputation history, and use of encryption to appear legitimate. The combination of a freshly registered domain, low VT score, and absence from GSB and blocklists makes it a high-confidence threat vector for users engaging with unknown app download pages. While no advanced drainer infrastructure is detected, the generic phishing approach remains effective for mass credential harvesting and payment fraud. The lack of third-party detection suggests attackers are operating with minimal interference, increasing the likelihood of successful compromise for unsuspecting users. PhishDestroy has flagged ff-app.org as ACTIVE and is currently under investigation. No official takedown or block has been confirmed at this time. Users are advised to avoid interacting with this domain and any associated links or downloads. Security teams should block the IP 176.125.242.151 at the network perimeter and monitor DNS queries for ff-app.org. Remaining risk is assessed as HIGH due to active status, low detection coverage, and plausible user deception through fake app impersonation. Immediate user caution and proactive blocking are strongly recommended. [Updates since narrative was generated:] - VirusTotal detections: now 3/91 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260426-9E36E8 Favicon MD5: 75b2dd27f78393098895dd95e22d7237 TLS cert SHA-256: 23655ff784da8be9b2d023ff11eb8a80889fae0fd96627489d20e45d5625431f ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/ff-app.org/ JSON API: https://api.destroy.tools/v1/check?domain=ff-app.org Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 157,787 domains (42,441 alive under monitoring, 114,246 confirmed takedowns/dead). Site: https://phishdestroy.io