# PhishDestroy threat dossier — jeweldust.vip
================================================================

Fetched:   2026-06-25 20:55:58 UTC
Canonical: https://phishdestroy.io/domain/jeweldust.vip/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Trust Wallet

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      4/95 security vendors flagged this domain
  Flagging vendors: ChainPatrol, alphaMountain.ai, Forcepoint ThreatSeeker, SOCRadar
Public blocklists: listed on 3 independent blocklists

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      104.21.1.28 (US, San Francisco)
ASN:             ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US
Hosting org:     AS13335 Cloudflare, Inc.
Registrar:       DYNADOT LLC
Nameservers:     addilyn.ns.cloudflare.com, koa.ns.cloudflare.com
Registered:      2026-04-24
Expires:         2027-04-24
Page title:      Trust Wallet Pro
HTTP response:   403

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E7
Expires:    2026-07-25
Status:     INVALID chain
Fingerprint: f1abc608906679a3d047a2a786d32dbba802a583560bc2019a962ac2839ce3b0

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-24 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-06-17 13:38:01 UTC (by PhishDestroy tracker)
First reported:    2026-06-17 16:04:40 UTC (abuse notice filed)
Last verified:     2026-06-25 20:24:14 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019ed55d-e56a-757d-a0f7-fa16aef89bf6/
URLQuery:         https://urlquery.net/report/415b6419-9acb-4754-8619-76ae768f4da1
Wayback Machine:  https://web.archive.org/web/*/jeweldust.vip
crt.sh CT logs:   https://crt.sh/?q=%25.jeweldust.vip
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=jeweldust.vip
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/jeweldust.vip
URLhaus:          https://urlhaus.abuse.ch/host/jeweldust.vip/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-06-25 20:23:21 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

This domain, jeweldust.vip, is currently flagged as an active brand impersonation threat specifically targeting Trust Wallet, a cryptocurrency wallet service. The site presents itself under the title 'Trust Wallet Pro,' attempting to deceive users into believing it is an official or enhanced version of the legitimate Trust Wallet platform. Analysis indicates this is a deliberate attempt to harvest credentials, private keys, or other sensitive financial information from unsuspecting victims.  Infrastructure analysis reveals the domain was registered on April 24, 2026, through DYNADOT LLC, a known registrar frequently associated with high-risk domains. It resolves to the IP address 104.21.1.28 and is protected by Cloudflare, which may obscure further network-level investigations. The SSL certificate is issued by Let's Encrypt, providing HTTPS encryption to lend a false sense of legitimacy. As of the latest scan, 4 out of 95 security vendors on VirusTotal have flagged this domain as malicious. Additionally, the domain appears on 3 distinct security blocklists, indicating prior detection and classification as a phishing resource. The site employs HTTP/3, a modern protocol that may bypass certain legacy security controls.  The domain remains active and poses an elevated risk to users, particularly those in the cryptocurrency ecosystem. Organizations and individuals are advised to block access to jeweldust.vip at the DNS or network perimeter level. Endpoint protection systems should be updated to include this domain in deny lists. Users who may have interacted with this site should immediately revoke any exposed credentials, review wallet permissions, and monitor for unauthorized transactions. Security teams are encouraged to correlate logs for connections to 104.21.1.28 and the domain jeweldust.vip to identify potential compromise. Ongoing monitoring of newly registered domains impersonating financial or cryptocurrency services is recommended to mitigate similar threats.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260617-52B908
TLS cert SHA-256:      f1abc608906679a3d047a2a786d32dbba802a583560bc2019a962ac2839ce3b0

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/jeweldust.vip/
JSON API:          https://api.destroy.tools/v1/check?domain=jeweldust.vip
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 170,022 domains (14,711 alive under monitoring, 154,619 confirmed takedowns/dead). Site: https://phishdestroy.io