# PhishDestroy threat dossier — globalliquidityrouting.com
================================================================

Fetched:   2026-06-06 11:57:46 UTC
Canonical: https://phishdestroy.io/domain/globalliquidityrouting.com/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      1/91 security vendors flagged this domain
Public blocklists: listed on 3 independent blocklists

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      34.216.117.25 (US, Portland)
ASN:             AS16509 Amazon.com, Inc.
Hosting org:     AWS EC2 (us-west-2)
Registrar:       Spaceship, Inc.
Nameservers:     launch1.spaceship.net, launch2.spaceship.net
Registered:      2026-05-21
Page title:      globalliquidityrouting.com
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / R12
Expires:    2026-08-23
Status:     INVALID chain
Fingerprint: b98636ba22690183a7e7fc219e293f9ed45c2db8f106b47e1eab2d6bba630fff
Subject Alternative Names (related infrastructure — often same operator):
  - www.globalliquidityrouting.com

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-05-21 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-05-23 16:32:13 UTC (by PhishDestroy tracker)
First reported:    2026-05-23 13:32:29 UTC (abuse notice filed)
Last verified:     2026-06-04 02:46:21 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019e5506-f959-72c8-b318-a7da8ff05668/
URLQuery:         https://urlquery.net/report/8e969dcf-16ff-4a01-9486-bbc200449057
Wayback Machine:  https://web.archive.org/web/*/globalliquidityrouting.com
crt.sh CT logs:   https://crt.sh/?q=%25.globalliquidityrouting.com
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=globalliquidityrouting.com
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/globalliquidityrouting.com
URLhaus:          https://urlhaus.abuse.ch/host/globalliquidityrouting.com/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-05-23 16:34:02 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies globalliquidityrouting.com as an active crypto drainer domain designed to deceive users under the guise of a legitimate crypto liquidity routing service. The domain presents a high-risk threat vector with a specific modus operandi: tricking users into connecting their cryptocurrency wallets under false pretenses, leading to unauthorized fund drains. This domain is currently under investigation but remains active, indicating ongoing malicious campaigns. The presence of crypto drainer infrastructure is corroborated by its association with MetaMask and SEAL blocklists, which specifically target crypto-related fraud. Immediate action is required to prevent financial loss.  

This domain was flagged with a risk level of under_investigation and a confirmed threat type of crypto drainer. VirusTotal shows 0/95 detections, indicating it has evaded current antivirus signatures. The domain resolves to IP 34.216.117.25 and has appeared on 2 security blocklists. It was registered through Spaceship, Inc. on May 21, 2026, a notably recent creation date that aligns with its suspicious activity. The domain’s lack of detections despite blocklist appearances highlights its stealthy operation and the need for proactive detection measures.  

Mitigation steps for this crypto drainer threat are critical and must prioritize wallet security. Users should immediately block and report the domain globalliquidityrouting.com to their browser’s security extensions or blocklists. Cryptocurrency wallet users must verify the legitimacy of liquidity service websites by cross-referencing official domains and using hardware wallets for high-value transactions. Organizations should deploy advanced threat intelligence tools that monitor for crypto drainer signatures, including transaction patterns and wallet connection prompts. Additionally, flagging the IP address 34.216.117.25 at the network level can prevent lateral spread within corporate environments. Given the domain’s recent registration and zero VirusTotal detections, assume it remains operational until proven otherwise.

[Updates since narrative was generated:]
  - VirusTotal detections: now 1/91 (narrative was written when count was lower)

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260523-D6A8B8
Favicon MD5:       62d356f877f5a93b1e72b62913dbfaf1
TLS cert SHA-256:      b98636ba22690183a7e7fc219e293f9ed45c2db8f106b47e1eab2d6bba630fff

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/globalliquidityrouting.com/
JSON API:          https://api.destroy.tools/v1/check?domain=globalliquidityrouting.com
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 158,525 domains (43,053 alive under monitoring, 114,656 confirmed takedowns/dead). Site: https://phishdestroy.io