# PhishDestroy threat dossier — imtokee.com.cn ================================================================ Fetched: 2026-05-01 21:02:08 UTC Canonical: https://phishdestroy.io/domain/imtokee.com.cn/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 82/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: OKX ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/95 security vendors flagged this domain URLQuery: 2 detections ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 154.206.128.231 (HK, Hong Kong) ASN: AS139880 OWGELS INTERNATIONAL CO., LIMITED Hosting org: Starbow Ltd Registrar: Web Commerce Communications Limited Nameservers: a.share-dns.com, a7.share-dns.com, b.share-dns.net, b7.share-dns.net Registered: 2026-04-03 Page title: imToken官网下载 - 全球领先多链去中心化数字钱包 HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-07-10 Status: INVALID chain Fingerprint: 75fec49d08ffdee5ea7e62f29cc511007061f4e74c9a34688786ef603f8947be Subject Alternative Names (related infrastructure — often same operator): - imtokeb.com.cn - imtoked.com.cn - imtokef.com.cn - imtokeg.com.cn - imtokeh.com.cn - imtokei.com.cn - imtokej.com.cn - imtokek.com.cn - imtokel.com.cn - www.imtokeb.com.cn - www.imtoked.com.cn - www.imtokee.com.cn - www.imtokef.com.cn - www.imtokeg.com.cn - www.imtokeh.com.cn ... +4 more ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-03 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-01 15:34:46 UTC (by PhishDestroy tracker) First reported: 2026-05-01 12:36:07 UTC (abuse notice filed) Last verified: 2026-05-01 21:10:04 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019de388-09ea-77be-9fa6-bf2fb9611f8b/ URLQuery: https://urlquery.net/report/43ad8e8d-1d2c-48d3-970f-8b42e3473d2d Wayback Machine: https://web.archive.org/web/*/imtokee.com.cn crt.sh CT logs: https://crt.sh/?q=%25.imtokee.com.cn Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=imtokee.com.cn AlienVault OTX: https://otx.alienvault.com/indicator/domain/imtokee.com.cn URLhaus: https://urlhaus.abuse.ch/host/imtokee.com.cn/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-01 15:35:43 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] imtokee.com.cn is a fraudulent website engineered to impersonate OKX, a major cryptocurrency exchange, with the goal of deceiving visitors into surrendering sensitive account credentials or cryptocurrency assets. The domain leverages the trust associated with the OKX brand to trick users into believing it is an official platform. Once a victim lands on the site, threat actors can harvest login details or prompt wallet connections that drain funds directly—common tactics used by crypto drainers to siphon digital assets under the guise of legitimacy. This is not a legitimate service and should be treated as malicious from the moment of first interaction. PhishDestroy identifies this domain as actively engaged in brand impersonation. The site was registered on April 3, 2026 through Web Commerce Communications Limited and currently resolves to IP address 154.206.128.231. Its SSL certificate is issued by Let’s Encrypt, a tactic often used to appear trustworthy. Crucially, analysis via VirusTotal shows zero detections among 95 security engines, highlighting how newly registered and lightly monitored malicious domains can evade detection at scale. The combination of recent registration (April 2026), low detection rate, and association with a well-known exchange suggests this is a newly deployed threat designed for rapid exploitation before wider recognition. If you visited imtooke.com.cn, cease all interaction immediately and do not input any login credentials, recovery phrases, or connect any cryptocurrency wallets. Change your passwords on OKX or any linked accounts, enable two-factor authentication, and monitor for unauthorized transactions. Report suspicious links to OKX support and block the domain from your network. Consider using a reputable ad-blocker or DNS filtering tool like Quad9 or NextDNS to block access to known malicious domains proactively. Stay vigilant—crypto-focused threat actors increasingly use impersonation sites to exploit trust and drain accounts within hours of domain activation. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260501-27934F Favicon MD5: 293833145eeef25d5409a293beaba413 TLS cert SHA-256: 75fec49d08ffdee5ea7e62f29cc511007061f4e74c9a34688786ef603f8947be ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/imtokee.com.cn/ JSON API: https://api.destroy.tools/v1/check?domain=imtokee.com.cn Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io