# PhishDestroy threat dossier — h5.ddlove-kr.com ================================================================ Fetched: 2026-06-07 23:04:41 UTC Canonical: https://phishdestroy.io/domain/h5.ddlove-kr.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/95 security vendors flagged this domain Flagging vendors: LevelBlue URLQuery: 1 detections Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.96.3 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: CloudFlare, Inc. Registrar: Dynadot Inc Nameservers: donald.ns.cloudflare.com, mariah.ns.cloudflare.com Registered: 2026-04-18 Page title: ddlove.tabbar.profile HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E7 Expires: 2026-07-17 Status: INVALID chain Fingerprint: f79f30e351ffe98700f893b483496c1ffc997f9184b9c7b5154ff4fe5586cff8 Subject Alternative Names (related infrastructure — often same operator): - ddlove-kr.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-18 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-15 20:10:49 UTC (by PhishDestroy tracker) First reported: 2026-05-15 17:12:20 UTC (abuse notice filed) Last verified: 2026-06-07 20:49:46 UTC Neutralised: 2026-06-06 17:30:45 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e2c9d-ac4a-7130-bc21-3704c5c5c300/ URLQuery: https://urlquery.net/report/72294503-4100-4f26-83d0-bac97472d11a Wayback Machine: https://web.archive.org/web/*/h5.ddlove-kr.com crt.sh CT logs: https://crt.sh/?q=%25.h5.ddlove-kr.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=h5.ddlove-kr.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/h5.ddlove-kr.com URLhaus: https://urlhaus.abuse.ch/host/h5.ddlove-kr.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-15 20:11:48 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] h5.ddlove-kr.com has been identified as an active crypto drainer domain designed to trick users into connecting cryptocurrency wallets and approve malicious transactions. The domain poses as a legitimate service, likely targeting Korean-speaking users or those interested in digital assets. Security researchers confirm it actively harvests wallet credentials and initiates unauthorized transfers once wallet connections are established. The domain operates under a deceptive subdomain structure (h5.ddlove-kr.com), mimicking a known brand or service to gain user trust before deploying exploit kits or fake transaction interfaces. Upon connection, victims may unknowingly sign malicious payloads that drain tokens or NFTs directly from connected wallets. Technical analysis reveals the site leverages modern web frameworks and obfuscated JavaScript to evade detection, making it particularly dangerous for users unfamiliar with crypto wallet security practices. This domain was flagged by VirusTotal with only 1 out of 95 security vendors detecting it as malicious at the time of analysis, indicating its stealth and low prior exposure. Registered through Dynadot Inc. on April 18, 2026, it is hosted on IP 188.114.96.3 and secured with a Let's Encrypt SSL certificate—common tools used to appear legitimate and evade browser warnings. The domain’s recent creation date suggests a short-lived campaign, but its active status and low detection rate make it especially hazardous for users visiting without proper precautions. The combination of a newly registered domain, low VT coverage, and crypto-targeted deception strongly correlates with high-risk crypto drainer activity. Users who visited h5.ddlove-kr.com should immediately disconnect all crypto wallets from the site and revoke any granted permissions via wallet settings or blockchain explorers. If any unauthorized transactions occurred, file a report with the relevant blockchain explorer and contact your wallet provider for incident support. Avoid reusing passwords or connecting wallets to untrusted domains in the future. Enable wallet transaction simulation tools and use hardware wallets where possible. Monitor blockchain activity closely and consider rotating wallet addresses. Report the domain to your antivirus vendor, browser blocklists, and crypto security platforms to help prevent further victimization. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260515-9DDA60 Favicon MD5: 08a8cee5f990c93340ef0356c11102a1 TLS cert SHA-256: f79f30e351ffe98700f893b483496c1ffc997f9184b9c7b5154ff4fe5586cff8 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/h5.ddlove-kr.com/ JSON API: https://api.destroy.tools/v1/check?domain=h5.ddlove-kr.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 158,819 domains (42,678 alive under monitoring, 115,009 confirmed takedowns/dead). Site: https://phishdestroy.io