# PhishDestroy threat dossier — fun-vote.lol
================================================================

Fetched:   2026-05-15 09:50:40 UTC
Canonical: https://phishdestroy.io/domain/fun-vote.lol/

## VERDICT
----------------------------------------------------------------
ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims
Composite threat score: 85/100 (PhishDestroy scoring — see methodology below)
Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 2/6)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      0/91 security vendors flagged this domain

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      104.21.48.218 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     Cloudflare, Inc.
Registrar:       PDR Ltd. d/b/a PublicDomainRegistry.com
Nameservers:     ligia.ns.cloudflare.com, steven.ns.cloudflare.com
Registered:      2026-05-04
Page title:      Pump | Voting

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E8
Expires:    2026-08-02
Status:     INVALID chain
Fingerprint: dc7f6c32348e4c811deabad08963ff76b6ff25895bdeb5910ef857692b4b224a

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-05-04 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-05-07 02:02:51 UTC (by PhishDestroy tracker)
First reported:    2026-05-06 23:03:20 UTC (abuse notice filed)
Last verified:     2026-05-15 01:42:16 UTC
Neutralised:       2026-05-14 20:59:14 UTC
Current status:    ACTIVE — cloaked behind HTTP 666 to evade scanners

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019dff85-2c3d-740a-b377-fee2d6eacfb8/
URLQuery:         https://urlquery.net/report/886ca531-464d-43e6-af63-adb20db0ba19
Wayback Machine:  https://web.archive.org/web/*/fun-vote.lol
crt.sh CT logs:   https://crt.sh/?q=%25.fun-vote.lol
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=fun-vote.lol
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/fun-vote.lol
URLhaus:          https://urlhaus.abuse.ch/host/fun-vote.lol/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-05-07 02:05:30 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies fun-vote.lol as a domain under active investigation for potential crypto drainer activity, a specific form of phishing designed to steal cryptocurrency assets from unsuspecting victims. The current risk level remains under investigation, but the presence of a crypto drainer toolkit cannot be ruled out given the domain's behavior patterns and lack of transparency. Users are strongly advised to avoid this domain due to the high potential for financial harm and data compromise.

This domain was flagged with the following technical indicators: registered through PDR Ltd. d/b/a PublicDomainRegistry.com, resolving to IP 104.21.48.218, and sporting an SSL certificate from Let's Encrypt. The domain was created on May 04, 2026, and currently shows 0/95 detections on VirusTotal, indicating it has not yet been widely blacklisted or flagged by security vendors. The lack of historical data and recent creation date further compounds the risk profile, as newly registered domains often serve as temporary infrastructures for malicious activities.

To mitigate the risk associated with crypto drainer phishing domains like fun-vote.lol, users should implement several security measures. First, avoid interacting with any unsolicited links or websites, especially those promoting cryptocurrency-related activities or claiming to offer voting or survey participation with rewards. Second, verify the legitimacy of any website by checking for HTTPS encryption, examining the domain name for misspellings or unusual characters, and looking for verified trust seals or contact information. Third, use hardware wallets or multi-signature wallets for cryptocurrency transactions, and never enter private keys or seed phrases into online forms. Finally, deploy browser extensions that block known phishing domains and enable real-time scanning of web traffic for malicious content. If you have already interacted with this domain, immediately revoke any connected wallet permissions and transfer your assets to a secure wallet not associated with the compromised site.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260506-5E94FF
TLS cert SHA-256:      dc7f6c32348e4c811deabad08963ff76b6ff25895bdeb5910ef857692b4b224a

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/fun-vote.lol/
JSON API:          https://api.destroy.tools/v1/check?domain=fun-vote.lol
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 149,768 domains (37,020 alive under monitoring, 112,469 confirmed takedowns/dead). Site: https://phishdestroy.io