# PhishDestroy threat dossier — jupairdrop.onspace.build
================================================================

Fetched:   2026-05-02 15:40:41 UTC
Canonical: https://phishdestroy.io/domain/jupairdrop.onspace.build/

## VERDICT
----------------------------------------------------------------
STATUS STALE — last probed 19 days ago, treat as ACTIVE until re-verified
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: cryptocurrency
Targeted brand: Airdrop Scam
Wallet drainer: Solana Drainer

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      14/95 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, BitDefender, CRDF, CyRadar, Fortinet, G-Data, Google Safebrowsing, Kaspersky, Lionic, SOCRadar, Sophos, Trustwave, Webroot, alphaMountain.ai
URLQuery:        100 detections
Public blocklists: listed on 3 independent blocklists
Google Safe Browsing: FLAGGED
Victim re-reports (public form): 1

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      43.130.171.225 (US, Ashburn)
ASN:             ASAS132203 Tencent Building, Kejizhongyi Avenue
Hosting org:     AS132203 Tencent Building, Kejizhongyi Avenue
Registrar:       Aceville Pte. Ltd.
Nameservers:     anastasia.dnspod.net, anemone.dnspod.net
Registered:      2026-02-21
Expires:         2027-01-07
Page title:      JUP USD AirDrop - 1,000,000 SOL Distribution

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     DigiCert Inc / RapidSSL TLS RSA CA G1
Expires:    2027-01-06
Status:     INVALID chain
Fingerprint: 577a146d8c5d259460ec80f28be10f331393f7701b13320a91715699dae16631
Subject Alternative Names (related infrastructure — often same operator):
  - onspace.build

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-02-21 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-02-25 02:39:27 UTC (by PhishDestroy tracker)
Earliest abuse rec: 2026-01-20 18:52:29 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name
Last verified:     2026-04-13 06:02:05 UTC (STALE — 19 days ago, re-verify)
Flagged dead:      2026-03-15 06:12:04 UTC (NOT RE-VERIFIED IN 19 DAYS — treat as unconfirmed)
Current status:    UNCONFIRMED (our live-probe is 19 days stale)

Note: one or more events above predate the WHOIS creation date. This typically means
the same domain name was previously registered, detected, dropped, and then re-registered
by a new party. PhishDestroy preserves the full historical record for operator-attribution
research even when the underlying infrastructure changes hands.

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019bdc1b-0099-71bc-bc0b-28940c27b456/
Wayback Machine:  https://web.archive.org/web/*/jupairdrop.onspace.build
crt.sh CT logs:   https://crt.sh/?q=%25.jupairdrop.onspace.build
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=jupairdrop.onspace.build
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/jupairdrop.onspace.build
URLhaus:          https://urlhaus.abuse.ch/host/jupairdrop.onspace.build/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-03-19 01:23:11 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies jupairdrop.onspace.build as a dangerous phishing website designed to steal cryptocurrency assets. The domain, now offline, was flagged for social engineering tactics aimed at users interested in Solana token airdrops. Such sites pose a high threat because they attempt to trick visitors into revealing sensitive wallet credentials, leading to unauthorized access and loss of funds.

This phishing scam operated by impersonating a legitimate airdrop event, promising a large distribution of SOL tokens to lure victims. It employed a Solana drainer kit, which is malicious software crafted to siphon cryptocurrency from compromised wallets. Users were likely prompted to connect their crypto wallets or input private keys, which attackers then exploited to drain accounts. The domain was registered through a less transparent registrar and appeared on multiple security blocklists, reinforcing its malicious intent.

If you have visited jupairdrop.onspace.build, it is crucial to immediately secure your cryptocurrency wallets. Change any exposed private keys or seed phrases and move funds to new wallets if possible. Avoid interacting with similar unsolicited airdrop offers and verify legitimacy through official channels. Employ strong security practices such as hardware wallets and two-factor authentication to reduce the risk of future compromises. PhishDestroy recommends staying vigilant against social engineering scams in the crypto space.

## EVIDENCE HASHES
----------------------------------------------------------------
Favicon SHA-256:       78d28569332c36cea69c27346a5fd63344998e4b65c0b3f9f6fefafb8820f195
TLS cert SHA-256:      577a146d8c5d259460ec80f28be10f331393f7701b13320a91715699dae16631

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/jupairdrop.onspace.build/
JSON API:          https://api.destroy.tools/v1/check?domain=jupairdrop.onspace.build
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io