# PhishDestroy threat dossier — horizonglobaltrust.com ================================================================ Fetched: 2026-04-30 18:47:37 UTC Canonical: https://phishdestroy.io/domain/horizonglobaltrust.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: MetaMask ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 11/94 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, CRDF, CyRadar, Forcepoint ThreatSeeker, Fortinet, G-Data, Lionic, Netcraft, Sophos Public blocklists: listed on 2 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 198.251.89.220 (LU, Luxembourg) ASN: AS53667 FranTech Solutions Hosting org: FranTech Solutions Registrar: TLD Registrar Solutions Ltd. Nameservers: ns27.asurahosting.com, ns27.my-control-panel.com, ns28.asurahosting.com, ns28.my-control-panel.com Registered: 2026-04-04 HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R13 Expires: 2026-06-29 Status: INVALID chain Fingerprint: e127eb2ac1454f7711c3efea8bed63654d87e688784cbedf620145fb89517f5a Subject Alternative Names (related infrastructure — often same operator): - horizonglobaltrust.com.valtarabitvision.com - www.horizonglobaltrust.com.valtarabitvision.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-04 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-04 20:23:56 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-04-04 17:26:56 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-04-30 18:08:42 UTC Neutralised: 2026-04-23 03:12:03 UTC Current status: taken down (registrar suspended or DNS dead) Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019d5984-11ca-775e-add3-05e2cf380013/ URLQuery: https://urlquery.net/report/80829474-e2f1-4bf1-aac9-f66886ddb710 Wayback Machine: https://web.archive.org/web/*/horizonglobaltrust.com crt.sh CT logs: https://crt.sh/?q=%25.horizonglobaltrust.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=horizonglobaltrust.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/horizonglobaltrust.com URLhaus: https://urlhaus.abuse.ch/host/horizonglobaltrust.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-04 20:25:10 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies horizonglobaltrust.com as an active crypto drainer posing as Horizon Global Trust to steal cryptocurrency from victims. This domain was flagged on two security blocklists, including SEAL and MetaMask, indicating confirmed malicious intent. The site leverages a Let's Encrypt SSL certificate for false legitimacy while hosting a fraudulent interface designed to trick users into connecting crypto wallets for unauthorized fund transfers. Recent reports suggest it targets investors in global trust services, capitalizing on name similarity to Horizon Global Trust, a legitimate entity, to gain trust and facilitate theft. This domain was registered through TLD Registrar Solutions Ltd. on October 09, 2023, and is currently resolving to IP address 198.251.89.220. VirusTotal currently shows 0 detections out of 95 security vendors, meaning antivirus tools have not yet flagged it, likely due to its recent deployment. Despite low detection rates, the domain's presence on two reputable blocklists signals elevated risk. The technical indicators—recent creation date, active resolution, and early-stage evasion—suggest this is an emerging but dangerous threat, especially for those unfamiliar with domain age checks or phishing red flags. If you visited horizonglobaltrust.com or entered any information, disconnect your crypto wallet immediately and revoke any connected permissions using your wallet’s security settings. Do not click any links or interact further with the site. Report the incident to your wallet provider and file a complaint with local cybercrime units. To prevent future exposure, use PhishDestroy’s real-time domain verification tool before visiting any website claiming to offer financial services or crypto-related products. Stay vigilant: legitimate companies rarely use recently registered domains, and crypto drainers often mimic well-known brands to deceive users. Always verify URLs, use hardware wallets for large transactions, and enable multi-factor authentication where possible. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260404-E5EF87 Favicon MD5: 3549298d42342cc8fae7e0e5ed5e52b3 TLS cert SHA-256: e127eb2ac1454f7711c3efea8bed63654d87e688784cbedf620145fb89517f5a ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/horizonglobaltrust.com/ JSON API: https://api.destroy.tools/v1/check?domain=horizonglobaltrust.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io