# PhishDestroy threat dossier — jnwhcy.com ================================================================ Fetched: 2026-07-01 10:00:21 UTC Canonical: https://phishdestroy.io/domain/jnwhcy.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: cryptocurrency ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 4/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, Forcepoint ThreatSeeker, Gridinsoft, SOCRadar AlienVault OTX: 2 pulses (threat-intel feed mentions) Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 91.110.224.20 (GB, Martlesham) ASN: AS40065 CNSERVERS LLC Hosting org: EE Limited Registrar: West263 International Limited Nameservers: ["ns1.363.hk", "ns2.363.hk", "ns3.363.hk", "ns4.363.hk", "ns5.363.hk", "ns6.363.hk"] Page title: Home ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YE2 Expires: 2026-08-31 Status: INVALID chain Fingerprint: 3e9319c2d26671c723341600c6b2e6cfad6eadf4609a974c4a9b27984c176b18 Subject Alternative Names (related infrastructure — often same operator): - m.jnwhcy.com - www.jnwhcy.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-06-09 17:26:35 UTC (by PhishDestroy tracker) First reported: 2026-06-09 15:36:34 UTC (abuse notice filed) Last verified: 2026-07-01 08:20:36 UTC Neutralised: 2026-06-15 00:51:50 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019ead02-4ecc-747e-b129-8ff787f3c063/ URLQuery: https://urlquery.net/report/2f49535e-9e4c-440a-8bca-22733d9b6eee Wayback Machine: https://web.archive.org/web/*/jnwhcy.com crt.sh CT logs: https://crt.sh/?q=%25.jnwhcy.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=jnwhcy.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/jnwhcy.com URLhaus: https://urlhaus.abuse.ch/host/jnwhcy.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-25 17:35:28 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain is actively conducting phishing operations targeting cryptocurrency users by masquerading as a legitimate wallet service. Analysis indicates the infrastructure is designed to harvest login credentials, private keys, and recovery phrases through deceptive interfaces that closely mimic authentic platforms. The threat specifically exploits users attempting to access or recover digital assets, redirecting them to fraudulent input forms that transmit sensitive data to attacker-controlled servers. Infrastructure analysis reveals multiple high-confidence indicators of compromise. The domain jnwhcy.com is registered through West263 International Limited and currently resolves to the IP address 91.110.224.20. Security vendors on VirusTotal have flagged this domain at a ratio of 4/95, with detection signatures identifying it as a phishing endpoint. The domain appears on three distinct security blocklists, including those specializing in financial fraud prevention. The SSL certificate, issued by Let's Encrypt (serial number YE2), does not mitigate the risk, as phishing domains frequently use valid certificates to appear legitimate. Users who have visited jnwhcy.com or entered any information on the site should immediately take corrective actions. First, revoke any permissions granted to the domain in wallet applications or browser extensions. Second, transfer all digital assets to a new wallet with a fresh seed phrase, as private keys may have been compromised. Third, monitor all linked accounts for unauthorized transactions and enable additional authentication factors where available. If financial losses have occurred, report the incident to relevant authorities and provide them with the domain, IP address, and any transaction hashes associated with the fraudulent activity. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260609-7EB781 TLS cert SHA-256: 3e9319c2d26671c723341600c6b2e6cfad6eadf4609a974c4a9b27984c176b18 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/jnwhcy.com/ JSON API: https://api.destroy.tools/v1/check?domain=jnwhcy.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 173,410 domains (13,246 alive under monitoring, 159,488 confirmed takedowns/dead). Site: https://phishdestroy.io