# PhishDestroy threat dossier — inter-coinprostart.framer.media ================================================================ Fetched: 2026-05-11 13:59:56 UTC Canonical: https://phishdestroy.io/domain/inter-coinprostart.framer.media/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 81/100 (PhishDestroy scoring — see methodology below) Scam classification: Fake Exchange Targeted brand: Coinbase ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/95 security vendors flagged this domain Flagging vendors: ChainPatrol ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 31.43.161.6 (NL, Amsterdam) ASN: AS16509 Amazon.com, Inc. Hosting org: Framer B.V Registrar: CSC Corporate Domains, Inc. Nameservers: ["ns-97.awsdns-12.com", "ns-1854.awsdns-39.co.uk", "ns-535.awsdns-02.net", "ns-1267.awsdns-30.org"] Registered: 2026-05-09 Page title: Coinbase Pro® | Digital Asset Exchange® HTTP response: 404 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E8 Expires: 2026-07-17 Status: INVALID chain Fingerprint: 32a96833f3efa50342b6733037b1a1a711a3d07d838a946a6a11257a5fba1b50 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-09 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-09 11:15:45 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-05-09 08:17:37 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-05-11 13:40:02 UTC Neutralised: 2026-05-09 19:41:56 UTC Current status: taken down (registrar suspended or DNS dead) Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e0bcc-a0ae-745c-85f3-a2c10b9df913/ URLQuery: https://urlquery.net/report/8faa7a1c-260b-4a44-9723-6efbb8e8011f Wayback Machine: https://web.archive.org/web/*/inter-coinprostart.framer.media crt.sh CT logs: https://crt.sh/?q=%25.inter-coinprostart.framer.media Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=inter-coinprostart.framer.media AlienVault OTX: https://otx.alienvault.com/indicator/domain/inter-coinprostart.framer.media URLhaus: https://urlhaus.abuse.ch/host/inter-coinprostart.framer.media/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-09 11:16:40 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies inter-coinprostart.framer.media as an active phishing domain designed to trick cryptocurrency investors into surrendering wallet credentials or funds. The site mimics legitimate investment platforms to harvest sensitive data under the guise of profit opportunities. Criminals often weaponize free website builders like Framer to rapidly deploy fraudulent portals, exploiting user trust in familiar services. This specific domain employs a Let’s Encrypt SSL certificate to appear legitimate, masking its malicious intent behind a veneer of authenticity. Users who land here risk immediate financial theft or credential compromise, with no direct benefit beyond the attackers’ illicit gains. This domain was flagged by PhishDestroy due to its elevated risk profile and confirmed malicious behavior. Intelligence shows it resolves to IP address 31.43.161.6 and was detected by only 1 out of 95 VirusTotal security vendors at time of analysis. Such low detection rates highlight how threat actors exploit gaps in automated scanning, leveraging evasion tactics like dynamic infrastructure and obfuscated JavaScript to bypass defenses. While domain registration details are not publicly disclosed, the use of a Framer subdomain suggests a recent deployment—likely within days or weeks—aimed at capitalizing on trending investment narratives. If you visited inter-coinprostart.framer.media, take immediate action to protect your assets and identity. Disconnect from the internet to prevent any ongoing data exfiltration, then run a full antivirus scan on all devices used to access the site. Revoke any cryptocurrency wallet permissions granted to suspicious domains and monitor accounts for unauthorized transactions. Report the domain to your bank, wallet provider, and cybercrime authorities such as the FBI IC3 or your local cybercrime unit. Avoid clicking on any links or downloading files from this site in the future, and warn others who may have been exposed. Always verify investment platforms through official channels and use hardware wallets for crypto transactions to minimize exposure. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260509-096FD3 Favicon MD5: 9e421d0b86bb58ca789f5c62a2e6e973 TLS cert SHA-256: 32a96833f3efa50342b6733037b1a1a711a3d07d838a946a6a11257a5fba1b50 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/inter-coinprostart.framer.media/ JSON API: https://api.destroy.tools/v1/check?domain=inter-coinprostart.framer.media Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 148,214 domains (45,143 alive under monitoring, 102,722 confirmed takedowns/dead). Site: https://phishdestroy.io