# PhishDestroy threat dossier — fiona-v7.top ================================================================ Fetched: 2026-07-02 07:25:57 UTC Canonical: https://phishdestroy.io/domain/fiona-v7.top/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Crypto Drainer Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_split) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 3/92 security vendors flagged this domain Flagging vendors: alphaMountain.ai, Gridinsoft, LevelBlue Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.67.140.103 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: 阿里云计算有限公司 Nameservers: ["fatima.ns.cloudflare.com.", "jarred.ns.cloudflare.com."] Registered: 2026-05-17 Page title: Create Next App HTTP response: 200 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-17 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-17 08:53:28 UTC (by PhishDestroy tracker) First reported: 2026-05-17 08:53:22 UTC (abuse notice filed) Last verified: 2026-07-02 08:20:36 UTC Neutralised: 2026-06-06 17:30:39 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e347c-546d-712d-a2dd-6a74474d3566/ Wayback Machine: https://web.archive.org/web/*/fiona-v7.top crt.sh CT logs: https://crt.sh/?q=%25.fiona-v7.top Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=fiona-v7.top AlienVault OTX: https://otx.alienvault.com/indicator/domain/fiona-v7.top URLhaus: https://urlhaus.abuse.ch/host/fiona-v7.top/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-17 08:54:19 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies active credential harvesting infrastructure on the domain fiona-v7.top, masquerading as the legitimate React scaffolding tool 'Create Next App'. The site serves as a generic phishing entry point designed to trick developers into submitting authentication tokens or API keys under the guise of a routine setup process. No specific drainer kit payload is observed in current telemetry, suggesting the campaign relies on a lightweight landing page that forwards stolen data to a backend collection server. The threat infrastructure is anchored by the domain fiona-v7.top, which was registered on May 14, 2026 through Alibaba Cloud Computing Ltd. d/b/a HiChina (www.net.cn). The domain resolves to IP address 172.67.140.103 and utilizes a valid Let's Encrypt SSL certificate to enhance appearance of legitimacy. VirusTotal analysis indicates minimal detection coverage with only 1 out of 95 security vendors flagging the domain as malicious as of the latest scan window. The domain has not been flagged by Google Safe Browsing (GSB) and currently shows zero listings on public blocklists, indicating a newly emerged or stealthily operating campaign. As of the last intelligence update, the campaign is classified as active with an elevated risk profile. Immediate defensive actions include blocking the domain at DNS and network levels using indicator fiona-v7.top and IP 172.67.140.103. Users are advised to avoid visiting the site and inspect development tooling workflows for unexpected redirections or authentication prompts. Remaining risk is assessed as moderate due to low detection coverage and recent domain registration, allowing for potential expansion if undetected. Continuous monitoring is recommended to identify associated infrastructure or updated payload delivery mechanisms. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: c30c7d42707a47a3f4591831641e50dc ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/fiona-v7.top/ JSON API: https://api.destroy.tools/v1/check?domain=fiona-v7.top Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 173,583 domains (14,589 alive under monitoring, 158,288 confirmed takedowns/dead). Site: https://phishdestroy.io