# PhishDestroy threat dossier — imp-protocol.pages.dev ================================================================ Fetched: 2026-05-07 07:17:36 UTC Canonical: https://phishdestroy.io/domain/imp-protocol.pages.dev/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: Sei ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 9/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, CyRadar, Fortinet, G-Data, Google Safebrowsing, Kaspersky, Sophos ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.66.44.152 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: Cloudflare, Inc. Nameservers: delilah.ns.cloudflare.com, martin.ns.cloudflare.com Registered: 2026-05-02 Page title: IMP Money - Automated Yield Infrastructure | 0.7% Daily Returns on USDT HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E8 Expires: 2026-07-31 Status: INVALID chain Fingerprint: dd5a25119067f3fbdce4fcbd669cdbababf9a43d7ee1337bb58d49fae5098f97 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-02 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-02 19:06:26 UTC (by PhishDestroy tracker) Last verified: 2026-05-04 19:40:05 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019de96f-0101-76bf-885c-9df095c15f1c/ Wayback Machine: https://web.archive.org/web/*/imp-protocol.pages.dev crt.sh CT logs: https://crt.sh/?q=%25.imp-protocol.pages.dev Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=imp-protocol.pages.dev AlienVault OTX: https://otx.alienvault.com/indicator/domain/imp-protocol.pages.dev URLhaus: https://urlhaus.abuse.ch/host/imp-protocol.pages.dev/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-02 19:07:23 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies imp-protocol.pages.dev as a site actively impersonating the Sei blockchain brand to deceive users into sharing sensitive information or downloading malicious software. This domain leverages Cloudflare’s infrastructure and a Let’s Encrypt SSL certificate to appear legitimate, exploiting Sei’s reputation to trick visitors into believing the site is affiliated with the official Sei ecosystem. The threat is particularly insidious because it targets cryptocurrency users, who may be less familiar with brand impersonation tactics and more likely to engage with fraudulent interfaces. This domain was flagged for brand impersonation against Sei, a Layer-1 blockchain protocol. PhishDestroy’s investigation reveals 0 detections on VirusTotal out of 95 security engines, indicating low immediate detection but not confirming safety. The domain resolves to IP address 172.66.44.152 and is registered through Cloudflare, Inc., which provides anonymity and reduces traceability. The use of Cloudflare’s Pages.dev service further obscures the operator’s identity, making it difficult to assess intent or ownership. While the SSL certificate from Let’s Encrypt adds a veneer of authenticity, it does not validate the site’s legitimacy and is easily obtainable by malicious actors. Users who have visited imp-protocol.pages.dev should immediately cease any interaction with the site, including refraining from entering wallet addresses, private keys, or seed phrases. Even if no data was submitted, the site may attempt to install tracking scripts or malware. Disconnect from the network, scan your device with updated antivirus software, and consider revoking any session tokens or connected wallet permissions if you engaged with the site. Report the domain to Sei’s official security channels and to PhishDestroy for further analysis. If you entered sensitive information, contact your wallet provider immediately and transfer funds to a new, secure wallet. Always verify URLs and use bookmarks for official Sei platforms to avoid similar threats in the future. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 9f7b6040c07c2315477912eca336191c TLS cert SHA-256: dd5a25119067f3fbdce4fcbd669cdbababf9a43d7ee1337bb58d49fae5098f97 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/imp-protocol.pages.dev/ JSON API: https://api.destroy.tools/v1/check?domain=imp-protocol.pages.dev Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 146,786 domains (58,440 alive under monitoring, 87,955 confirmed takedowns/dead). Site: https://phishdestroy.io