# PhishDestroy threat dossier — hfnewpg.vip ================================================================ Fetched: 2026-05-03 10:44:38 UTC Canonical: https://phishdestroy.io/domain/hfnewpg.vip/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 74/100 (PhishDestroy scoring — see methodology below) Scam classification: Fake Exchange ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/94 security vendors flagged this domain ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 154.26.192.23 (US, Los Angeles) ASN: AS18186 Nebula Global LLC Hosting org: FSC NETWORK LTD Registrar: Gname.com Pte. Ltd. Nameservers: ["a8.share-dns.com", "b8.share-dns.net"] Registered: 2026-03-28 Page title: HF Market HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R13 Expires: 2026-05-10 Status: INVALID chain Fingerprint: e0b93546447042d34ac84c7d060c43938236db8c96ea64016d7d347b68e12285 Subject Alternative Names (related infrastructure — often same operator): - h5.hfgoldexchange.com - h5.hfhcgs.com - h5.hfltwy.com - hfcnjd.com - hfgoldexchange.com - hfgreenlife.com - hfhcgs.com - hfltwy.com - hfojnt.com - hfxsyxyj.com - www.hfhcgs.com - www.hfltwy.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-03-28 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-03-28 17:52:36 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-03-28 14:56:00 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-05-03 10:28:00 UTC Neutralised: 2026-04-29 00:02:24 UTC Current status: taken down (registrar suspended or DNS dead) Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019d34ec-e68e-721d-a919-f0685cb36759/ URLQuery: https://urlquery.net/report/e0c55a2a-0de4-4499-8d1b-c55658a94f01 Wayback Machine: https://web.archive.org/web/*/hfnewpg.vip crt.sh CT logs: https://crt.sh/?q=%25.hfnewpg.vip Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=hfnewpg.vip AlienVault OTX: https://otx.alienvault.com/indicator/domain/hfnewpg.vip URLhaus: https://urlhaus.abuse.ch/host/hfnewpg.vip/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-03-28 17:54:11 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies hfnewpg.vip as an active crypto-phishing scam designed to deceive cryptocurrency traders into entering credentials or downloading malicious payloads under the guise of a legitimate trading platform. The site poses as a fraudulent crypto exchange or wallet service, exploiting urgency and financial incentives to trick users into exposing sensitive information such as private keys or login credentials. Risk level is elevated due to active deployment, low detection by security vendors, and the high potential for financial loss associated with cryptocurrency theft. This domain was flagged by PhishDestroy with an elevated risk level, indicating active phishing operations. It was registered on December 17, 2023 through Gname.com Pte. Ltd., resolving to IP address 154.26.192.23. VirusTotal shows detection by only 1 out of 95 security vendors, highlighting its stealth and low visibility. The domain utilizes a valid SSL certificate from Let's Encrypt, which may lend false legitimacy. Registration date and hosting infrastructure suggest recent deployment, likely as part of a coordinated campaign targeting crypto users. Mitigation steps for this crypto-phishing threat are specific and urgent. Immediately block the domain hfnewpg.vip and its IP address 154.26.192.23 at the network perimeter and DNS level. Warn cryptocurrency traders and users to avoid any interaction with this domain, especially communications claiming affiliation with exchanges or wallet services. Users who accessed the site should revoke any exposed API keys, change passwords if credentials were entered, and scan devices for malware. Report the domain to relevant threat intelligence platforms and regulatory bodies to aid in takedown efforts. Always verify URLs through official channels and use hardware wallets for sensitive transactions. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260328-FB990D Favicon MD5: 1ba2ae710d927f13d483fd5d1e548c9b TLS cert SHA-256: e0b93546447042d34ac84c7d060c43938236db8c96ea64016d7d347b68e12285 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/hfnewpg.vip/ JSON API: https://api.destroy.tools/v1/check?domain=hfnewpg.vip Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 144,974 domains (55,792 alive under monitoring, 88,750 confirmed takedowns/dead). Site: https://phishdestroy.io