# PhishDestroy threat dossier — firstswissherithage.com ================================================================ Fetched: 2026-05-20 09:29:36 UTC Canonical: https://phishdestroy.io/domain/firstswissherithage.com/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 90/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 9/92 security vendors flagged this domain URLQuery: 2 detections ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 89.117.51.233 (FR, Lauterbourg) ASN: AS51167 Contabo GmbH Hosting org: SC "Lithuanian Radio and TV Center" Registrar: Fewmoretaps OU d/b/a Trustname.com !!! REGISTRAR INTEGRITY ALERT — Trustname / Fewmoretaps OU !!! Trustname (IANA #4318) is a shell company declaring EUR 120 annual revenue, 1 employee, negative equity, Belarusian ownership. Explicitly advertises itself as 'bulletproof' in its DNS TXT records. Primary source: https://phishdestroy.io/trustname-bulletproof-exposed Nameservers: leah.ns.cloudflare.com, luke.ns.cloudflare.com Registered: 2026-05-12 Page title: Home - first swiss herithage HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-08-10 Status: INVALID chain Fingerprint: e1ca638b33e35403cce51ade9a4f5cfda4d8b4aaa2a6cfbed5747e5b19ca38ae ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-12 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-19 04:04:42 UTC (by PhishDestroy tracker) First reported: 2026-05-19 01:05:37 UTC (abuse notice filed) Last verified: 2026-05-20 07:40:03 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e3dc2-052e-701c-9d6b-bf2afbc76cc6/ URLQuery: https://urlquery.net/report/f4950b10-70ac-4cc2-81b4-30fcbf70d862 Wayback Machine: https://web.archive.org/web/*/firstswissherithage.com crt.sh CT logs: https://crt.sh/?q=%25.firstswissherithage.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=firstswissherithage.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/firstswissherithage.com URLhaus: https://urlhaus.abuse.ch/host/firstswissherithage.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-19 04:05:13 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies firstswissherithage.com as an active generic phishing domain posing a significant risk to users seeking authentic Swiss heritage or financial services. The threat type is classified as a generic phishing campaign designed to deceive victims into disclosing sensitive information such as login credentials, payment details, or personal identification data. This domain was flagged due to its suspicious registration patterns and lack of established trust metrics, warranting immediate scrutiny. This domain presents multiple red flags across technical and behavioral indicators. It was registered on May 12, 2026, a recent creation that often correlates with malicious intent as threat actors leverage newly registered domains for short-lived campaigns. VirusTotal currently shows a detection score of 0 out of 95 antivirus engines, indicating no current public blocklisting, which increases exposure risk. The domain resolves to IP address 89.117.51.233, an infrastructure point associated with various low-trust or newly observed domains. The SSL certificate is issued by Let's Encrypt, a legitimate provider, but this does not validate the domain's intent—cybercriminals frequently use free certificates to establish false credibility. The domain was registered through Fewmoretaps OU d/b/a Trustname.com, a registrar known for permissive policies and high-risk domain registrations. No trust scores or reputation data are available, reinforcing its suspicious classification. Mitigation for this specific threat requires immediate avoidance and proactive defensive measures. Users should not access or interact with firstswissherithage.com under any circumstances, as it is an active phishing site. Organizations and individuals should monitor network traffic for connections to IP 89.117.51.233 or domain hashes related to this campaign. Block the domain at DNS or firewall levels using threat intelligence feeds. Report the domain to relevant authorities such as CERT teams, the registrar (Trustname.com), and abuse channels such as abuse@trustname.com or via IC3.gov for phishing complaints. Since the site uses Let's Encrypt, revocation of the certificate is unlikely to be effective; instead, rely on domain reputation and DNS blocking. Educate users to verify domains through official Swiss heritage or financial portals before submitting any data. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260519-83C308 Favicon MD5: ad15f44dcedd159b7f9d850f3204bb10 TLS cert SHA-256: e1ca638b33e35403cce51ade9a4f5cfda4d8b4aaa2a6cfbed5747e5b19ca38ae ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/firstswissherithage.com/ JSON API: https://api.destroy.tools/v1/check?domain=firstswissherithage.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 151,853 domains (43,078 alive under monitoring, 108,402 confirmed takedowns/dead). Site: https://phishdestroy.io