# PhishDestroy threat dossier — jitouuidvalidator.pages.dev
================================================================

Fetched:   2026-06-28 10:16:44 UTC
Canonical: https://phishdestroy.io/domain/jitouuidvalidator.pages.dev/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Generic Phishing
Targeted brand: Jito
Phishing kit: Verification Scam

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      0/91 security vendors flagged this domain
Public blocklists: listed on 1 independent blocklist

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      172.66.44.79 (US, San Francisco)
ASN:             ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US
Hosting org:     AS13335 Cloudflare, Inc.
Registrar:       Cloudflare, Inc.
Nameservers:     kay.ns.cloudflare.com, kyle.ns.cloudflare.com
Registered:      2025-06-21
Page title:      Wallet Verification
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WE1
Expires:    2026-09-09
Status:     INVALID chain
Fingerprint: 3bee4552366940960d93e935dae2aa996fa18ccf7941d7bef2dbb28081a357c1

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2025-06-21 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-06-18 14:55:37 UTC (by PhishDestroy tracker)
Last verified:     2026-06-28 08:20:34 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019edacc-7fa5-7759-a4f8-342e90a72723/
Wayback Machine:  https://web.archive.org/web/*/jitouuidvalidator.pages.dev
crt.sh CT logs:   https://crt.sh/?q=%25.jitouuidvalidator.pages.dev
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=jitouuidvalidator.pages.dev
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/jitouuidvalidator.pages.dev
URLhaus:          https://urlhaus.abuse.ch/host/jitouuidvalidator.pages.dev/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-06-25 19:25:42 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

This domain, jitouuidvalidator.pages.dev, is currently under investigation for cryptocurrency wallet phishing activity. The site presents itself as a "Wallet Verification" portal, a common tactic used to deceive users into disclosing private keys, seed phrases, or login credentials for digital asset wallets. No specific brand impersonation has been confirmed at this stage, though the generic verification theme aligns with widespread phishing campaigns targeting decentralized finance (DeFi) and cryptocurrency users. The domain remains active and accessible as of the latest verification.  Infrastructure analysis reveals the domain was registered on June 21, 2025, through Cloudflare, Inc., and resolves to the IP address 172.66.44.79, hosted on autonomous system AS13335 (Cloudflare, Inc.) in the United States. Despite its recent creation, the domain has already been flagged on one security blocklist (PhishDestroy). VirusTotal reports zero detections across 95 security vendors, indicating either evasion of current detection mechanisms or limited exposure thus far. The SSL certificate is issued by Google Trust Services (WE1), providing a veneer of legitimacy through encrypted HTTPS connections. The use of Cloudflare’s content delivery network further complicates attribution and takedown efforts, as it masks the origin server and provides DDoS protection.  Current risk assessment places this domain in an active but unconfirmed threat state. While no malicious payloads or direct compromise indicators have been observed, the combination of a newly registered domain, a phishing-relevant page title, and minimal detection coverage warrants heightened scrutiny. Organizations and individuals are advised to block access to jitouuidvalidator.pages.dev at the network perimeter via DNS filtering or firewall rules. End users should be alerted to avoid interacting with any site requesting wallet verification, especially those hosted on non-branded or recently registered domains. Security teams are encouraged to monitor for connections to 172.66.44.79 and correlate with cryptocurrency transaction logs for potential unauthorized access attempts. Further investigation into associated infrastructure, such as subdomains or linked IP ranges, is recommended to identify related threat activity.

## EVIDENCE HASHES
----------------------------------------------------------------
Favicon MD5:       b8a0bf372c762e966cc99ede8682bc71
TLS cert SHA-256:      3bee4552366940960d93e935dae2aa996fa18ccf7941d7bef2dbb28081a357c1

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/jitouuidvalidator.pages.dev/
JSON API:          https://api.destroy.tools/v1/check?domain=jitouuidvalidator.pages.dev
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 171,060 domains (13,257 alive under monitoring, 157,384 confirmed takedowns/dead). Site: https://phishdestroy.io