# PhishDestroy threat dossier — floki-airdrop.app ================================================================ Fetched: 2026-06-28 22:11:36 UTC Canonical: https://phishdestroy.io/domain/floki-airdrop.app/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Airdrop Scam Targeted brand: Airdrop Scam ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 4/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, Fortinet, Gridinsoft, SOCRadar Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.67.173.217 (US, San Francisco) ASN: ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US Hosting org: AS13335 Cloudflare, Inc. Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED !!! REGISTRAR INTEGRITY ALERT — NiceNIC !!! NiceNIC International: over 90% of its registered domains are associated with illegal content; documented systematic abuse-report non-response. Primary sources: https://phishdestroy.io/nicenic-real https://phishdestroy.io/nicenic-verdict Nameservers: dara.ns.cloudflare.com, jaxson.ns.cloudflare.com Registered: 2026-04-08 Expires: 2027-04-08 Page title: Even geduld... ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-08 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-24 20:57:32 UTC (by PhishDestroy tracker) First reported: 2026-06-24 19:02:57 UTC (abuse notice filed) Last verified: 2026-06-28 23:47:36 UTC Neutralised: 2026-06-25 03:04:03 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019efafd-5580-72af-be27-3350ac0085ff/ URLQuery: https://urlquery.net/report/5e30be4d-d172-4825-ad37-02859aa3b476 Wayback Machine: https://web.archive.org/web/*/floki-airdrop.app crt.sh CT logs: https://crt.sh/?q=%25.floki-airdrop.app Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=floki-airdrop.app AlienVault OTX: https://otx.alienvault.com/indicator/domain/floki-airdrop.app URLhaus: https://urlhaus.abuse.ch/host/floki-airdrop.app/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-24 21:00:09 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The domain floki-airdrop.app has been identified as a live crypto wallet drainer campaign impersonating a Floki cryptocurrency airdrop promotion. This domain specifically targets users seeking 'free token distributions' by presenting a fraudulent airdrop interface that, when connected, silently drains connected wallets of assets via malicious drainer scripts. Historical patterns suggest the campaign leverages brand recognition—Floki—alongside urgency messaging to trick victims into connecting their wallets, which then triggers unauthorized asset transfers to attacker-controlled addresses. The drainer kit appears to be sourced from widely available scripts on dark web forums, commonly paired with fake airdrop landing pages to maximize deception. Floki-airdrop.app is part of an ongoing family of promiscuous drainer domains designed to harvest private keys or sign malicious transactions without user awareness. PhishDestroy analysis reveals floki-airdrop.app was registered through NICENIC INTERNATIONAL GROUP CO., LIMITED and resolves to IPv4 172.67.173.217. The domain was created on April 08, 2026, and currently shows 4/95 detections on VirusTotal with no blocklist registrations as of time of writing. Given the recent creation date and pristine detection score, it is likely operating under the radar to avoid immediate takedown. While no site reputation status is disclosed via public APIs, the absence of detections suggests this infrastructure remains operationally fresh and unexposed in common threat feeds. There is no known affiliation with legitimate Floki or Floki Inu projects. The use of a cloud hosting infrastructure (Cloudflare ASN per IP resolution) further complicates attribution and blocking efforts. As of this advisory, floki-airdrop.app remains active and maintains full operational status, actively soliciting user connections via social media and crypto forums under the guise of a genuine airdrop event. Immediate response actions include domain blocking at DNS, network, and endpoint levels using the provided IP and domain. Users must exercise extreme caution around any 'airdropped' reward claims and never connect wallets to unverified websites. While the current risk remains classified as under investigation due to low signature prevalence, the velocity and operational maturity hint at imminent expansion across multiple attack vectors. Caution and proactive threat intelligence integration are advised for SOC teams to prevent user compromise. [Updates since narrative was generated:] - Public blocklists: now listed on 3 feeds ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260624-C6D9F7 Favicon MD5: c787e2023007af68fecd7930e9567179 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/floki-airdrop.app/ JSON API: https://api.destroy.tools/v1/check?domain=floki-airdrop.app Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 172,064 domains (13,017 alive under monitoring, 158,549 confirmed takedowns/dead). Site: https://phishdestroy.io