# PhishDestroy threat dossier — hxyhxy.sbs ================================================================ Fetched: 2026-04-30 13:54:28 UTC Canonical: https://phishdestroy.io/domain/hxyhxy.sbs/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 91/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: Ethereum ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 8/94 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, CyRadar, Fortinet, G-Data, Kaspersky, Sophos ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 67.215.241.243 (US, Los Angeles) ASN: AS36352 HostPapa Hosting org: RackNerd LLC Registrar: Global Domain Group LLC Nameservers: ["becky.ns.cloudflare.com", "conrad.ns.cloudflare.com"] Registered: 2026-04-19 Page title: imToken | Ethereum & Bitcoin Wallet ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: TrustAsia Technologies, Inc. / LiteSSL RSA CA 2025 Expires: 2026-07-11 Status: INVALID chain Fingerprint: beed3c7f903ea72645733a22a6dfdacc728daceeaabe021efa13ae3d46b17e25 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-19 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-19 05:52:40 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-04-19 02:53:41 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-04-27 07:40:06 UTC Neutralised: 2026-04-22 00:26:00 UTC Current status: taken down (registrar suspended or DNS dead) Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019da3a6-a3ca-7626-ac65-0c57dd25880f/ URLQuery: https://urlquery.net/report/845659e8-c177-489e-8393-387faac76ac1 Wayback Machine: https://web.archive.org/web/*/hxyhxy.sbs crt.sh CT logs: https://crt.sh/?q=%25.hxyhxy.sbs Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=hxyhxy.sbs AlienVault OTX: https://otx.alienvault.com/indicator/domain/hxyhxy.sbs URLhaus: https://urlhaus.abuse.ch/host/hxyhxy.sbs/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-19 05:53:11 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies the domain hxyhxy.sbs as an active credential phishing threat designed to harvest user login credentials under false pretenses. The site currently remains online and operational as of evaluation, posing a direct and measurable risk to individuals and organizations that may encounter it through email campaigns, social media links, or fraudulent advertisements. While the exact impersonated brand or service has not yet been confirmed through open-source intelligence, the site’s structure and metadata indicate a high likelihood of masquerading as a legitimate login portal to deceive visitors into surrendering sensitive authentication details. Immediate avoidance is strongly advised. This domain—registered on August 21, 2025, through Global Domain Group LLC—was detected resolving to IP address 67.215.241.243 and secured with an SSL certificate issued by TrustAsia Technologies, Inc. As of this analysis, VirusTotal shows zero detections across 95 scanning vendors, highlighting a window of opportunity for threat actors to exploit unprotected traffic before widespread blacklisting occurs. The domain has not yet appeared on major threat intelligence blocklists, suggesting it may be newly operational or carefully segmented to evade early detection systems. The combination of a recent creation date, low detection coverage, and active infrastructure signals a potentially high-risk phishing operation with evolving tactics. Given the absence of current blocklist inclusion and low antivirus coverage, hxyhxy.sbs represents an unchecked phishing threat that could rapidly expand its reach. Users are advised to avoid visiting the domain and report any encounters to relevant security teams using the provided IP and domain indicators. Organizations should consider proactive blocking of 67.215.241.243 and hxyhxy.sbs at network and DNS levels, while conducting heightened phishing awareness training focused on newly registered domains with suspicious SSL certificates. Continuous monitoring through threat intelligence feeds is recommended to detect any shifts in infrastructure or campaign expansion. The domain remains under active investigation by PhishDestroy’s anti-phishing team. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260419-CAB78D Favicon MD5: 4f4d924fcafc32c3a2b20e9eb1f74163 TLS cert SHA-256: beed3c7f903ea72645733a22a6dfdacc728daceeaabe021efa13ae3d46b17e25 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/hxyhxy.sbs/ JSON API: https://api.destroy.tools/v1/check?domain=hxyhxy.sbs Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io