# PhishDestroy threat dossier — hyperstake.org ================================================================ Fetched: 2026-07-13 11:25:08 UTC Canonical: https://phishdestroy.io/domain/hyperstake.org/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Crypto Drainer ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 3/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, Gridinsoft, SOCRadar AlienVault OTX: 3 pulses (threat-intel feed mentions) Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.97.3 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: CloudFlare, Inc. Registrar: Global Domain Group LLC Nameservers: karsyn.ns.cloudflare.com, sage.ns.cloudflare.com Registered: 2026-06-01 Expires: 2027-06-01 Page title: Un instant… HTTP response: 301 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-08-30 Status: INVALID chain Fingerprint: 507a5be38667c42ef22ea139c50ce084355fd058e9ab6b7fd6d954c0eb65c5a4 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-01 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-10 16:50:41 UTC (by PhishDestroy tracker) First reported: 2026-07-12 19:19:43 UTC (abuse notice filed) Last verified: 2026-07-13 12:20:40 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f4c81-48e6-70bc-86e8-2398ee4076d9/ URLQuery: https://urlquery.net/report/3cb5f4d5-1cbe-484e-833c-53541942267a Wayback Machine: https://web.archive.org/web/*/hyperstake.org crt.sh CT logs: https://crt.sh/?q=%25.hyperstake.org Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=hyperstake.org AlienVault OTX: https://otx.alienvault.com/indicator/domain/hyperstake.org URLhaus: https://urlhaus.abuse.ch/host/hyperstake.org/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-12 18:45:16 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The domain hyperstake.org was registered on June 01, 2026 through Global Domain Group LLC and currently resolves to the Cloudflare‑owned address 188.114.97.3. DNS resolution is handled by karsyn.ns.cloudflare.com and sage.ns.cloudflare.com, indicating the use of Cloudflare’s CDN and the newer HTTP/3 protocol. The site presents an SSL certificate issued by Google Trust Services under the WE1 label, and HTTP requests are redirected with a 301 status code. The page title returned from the server is “Un instant…”, but no further content analysis is available. Threat intelligence sources have recorded the domain in three separate AlienVault OTX pulses, and VirusTotal has flagged it by three out of ninety‑five scanned security vendors. Active blocklists have already added hyperstake.org, with specific blocks applied by SEAL, MetaMask, and PhishDestroy. The domain is classified as a crypto drainer, a high‑risk threat that typically attempts to siphon cryptocurrency assets from unsuspecting users. Analysis indicates that the infrastructure choices—Cloudflare fronting, HTTP/3 support, and a legitimate‑looking SSL certificate—are deliberately selected to increase perceived trustworthiness and to obscure the true origin of the malicious payload. The limited detection count suggests that the campaign may be in an early deployment stage, but the presence on multiple blocklists and the active status confirm ongoing operation. The exact payload delivery mechanism and the full extent of compromised accounts remain uncertain due to the lack of page content inspection. Defenders should immediately add hyperstake.org to network and endpoint block lists, enforce DNS sinkholing for the domain, and monitor outbound connections to the 188.114.97.3 IP address. Continuous threat‑intel feeds should be consulted for any escalation in detection counts, and security teams should alert users to the risk of unsolicited cryptocurrency requests that may be routed through this domain. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260712-2617E2 Favicon MD5: e68648be696b5f035fc1b92a991d3dee TLS cert SHA-256: 507a5be38667c42ef22ea139c50ce084355fd058e9ab6b7fd6d954c0eb65c5a4 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/hyperstake.org/ JSON API: https://api.destroy.tools/v1/check?domain=hyperstake.org Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,033 domains (49,750 alive under monitoring, 128,283 confirmed takedowns/dead). Site: https://phishdestroy.io