# PhishDestroy threat dossier — gzsm.com ================================================================ Fetched: 2026-07-13 08:55:24 UTC Canonical: https://phishdestroy.io/domain/gzsm.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Investment Scam ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 2/91 security vendors flagged this domain Flagging vendors: Gridinsoft, SOCRadar Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 162.0.211.135 (US, Phoenix) ASN: ASAS22612 NAMECHEAP-NET - Namecheap, Inc., US Hosting org: AS22612 Namecheap, Inc. Registrar: NAMECHEAP INC Nameservers: dns1.registrar-servers.com, dns2.registrar-servers.com Registered: 2002-04-01 Expires: 2027-04-01 Page title: Free AML Wallet Checker - Crypto Risk Score & Sanctions Check HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E8 Expires: 2026-08-11 Status: INVALID chain Fingerprint: 0a6c3ba00a874fddf988c2b995ad0cde327c910d6d84eb598c766f27d8783837 Subject Alternative Names (related infrastructure — often same operator): - www.gzsm.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2002-04-01 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-06 14:29:23 UTC (by PhishDestroy tracker) Last verified: 2026-07-13 08:20:41 UTC Neutralised: 2026-07-06 18:16:50 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f3766-363c-717c-9bd3-4bc418a8ee5b/ Wayback Machine: https://web.archive.org/web/*/gzsm.com crt.sh CT logs: https://crt.sh/?q=%25.gzsm.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=gzsm.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/gzsm.com URLhaus: https://urlhaus.abuse.ch/host/gzsm.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-06 15:00:55 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain is currently under investigation for operating as a fraudulent cryptocurrency wallet checker, specifically designed to function as a crypto drainer. Analysis indicates the site impersonates legitimate anti-money laundering (AML) and risk assessment tools, potentially tricking users into connecting wallets to malicious smart contracts that siphon funds. The threat type is classified as a crypto drainer, a high-risk attack vector targeting cryptocurrency holders with deceptive financial compliance tools. Infrastructure analysis reveals the domain gzsm.com resolves to the IP address 162.0.211.135 and was registered through NAMECHEAP INC on April 01, 2002. Despite its long registration history, the domain exhibits no prior malicious detections on VirusTotal, with a score of 0/95. No blocklist entries or trust score downgrades are currently recorded, which may contribute to its ability to evade initial scrutiny. The page title, Free AML Wallet Checker - Crypto Risk Score & Sanctions Check, directly aligns with common lures used in crypto drainer schemes, where victims are prompted to input wallet addresses or connect wallets for supposed compliance checks. Mitigation steps for this threat type include immediate blocking of the domain and its associated IP address at the network perimeter. Organizations and individuals should avoid interacting with any wallet checker tools not originating from verified, reputable sources. Users who may have connected wallets to this domain should revoke smart contract permissions via blockchain explorers and transfer assets to new, secure wallets. Security teams are advised to monitor for outbound connections to 162.0.211.135 and correlate any wallet addresses promoted by the site with known malicious activity feeds. Given the absence of prior detections, this domain may represent a newly deployed or low-volume attack vector, warranting heightened vigilance. [Updates since narrative was generated:] - Public blocklists: now listed on 3 feeds - VirusTotal detections: now 2/91 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 68f88a9c01d95f4f67d4cb156975f97b TLS cert SHA-256: 0a6c3ba00a874fddf988c2b995ad0cde327c910d6d84eb598c766f27d8783837 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/gzsm.com/ JSON API: https://api.destroy.tools/v1/check?domain=gzsm.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,033 domains (49,760 alive under monitoring, 128,273 confirmed takedowns/dead). Site: https://phishdestroy.io