# PhishDestroy threat dossier — kcexx280.com ================================================================ Fetched: 2026-04-22 22:59:18 UTC Canonical: https://phishdestroy.io/domain/kcexx280.com/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 2/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 17/95 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, Chong Lua Dao, CRDF, CyRadar, ESET, Fortinet, G-Data, Google Safebrowsing, Gridinsoft, LevelBlue, Lionic, Seclookup, Sophos, VIPRE, Webroot URLQuery: 3 detections Public blocklists: listed on 1 independent blocklist Google Safe Browsing: FLAGGED ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.67.196.75 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: NameSilo, LLC !!! REGISTRAR INTEGRITY ALERT — NameSilo !!! NameSilo is a registrar documented by PhishDestroy as (1) publicly lying about received abuse reports, (2) shielding a $20M+ Monero-theft operation (xmrwallet.com) for 10 continuous years, and (3) retaliating against PhishDestroy by getting our X/Twitter account @Phish_Destroy banned after we published the evidence. Researchers/victims must ALWAYS CC compliance@icann.org on every abuse ticket — NameSilo has a track record of later claiming reports were never received. Primary sources: https://phishdestroy.io/namesilo-killed-our-twitter https://phishdestroy.io/xmrwallet-namesilo-exposed Nameservers: dilbert.ns.cloudflare.com, tara.ns.cloudflare.com Registered: 2026-04-01 Page title: KCEX HTTP response: 200 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-01 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-22 21:21:30 UTC (by PhishDestroy tracker) First reported: 2026-04-22 18:23:55 UTC (abuse notice filed) Last verified: 2026-04-23 01:40:02 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019db66b-d8e7-768c-82c1-45256122e7a0/ URLQuery: https://urlquery.net/report/3451ae1e-1d8c-4483-9131-8ab3a56b8554 Wayback Machine: https://web.archive.org/web/*/kcexx280.com crt.sh CT logs: https://crt.sh/?q=%25.kcexx280.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=kcexx280.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/kcexx280.com URLhaus: https://urlhaus.abuse.ch/host/kcexx280.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-22 21:23:23 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies kcexx280.com as an active crypto drainer impersonating the KCEX cryptocurrency exchange platform. This domain is classified under generic phishing threats with a high risk level and remains active at the time of analysis. Users are urged to treat this domain with extreme caution due to its malicious intent to deceive visitors into unknowingly transferring cryptocurrency assets to attacker-controlled wallets. kcexx280.com exhibits multiple red flags across security platforms, with 17 out of 95 VirusTotal security vendors flagging it as malicious. The domain was registered through NameSilo, LLC and resolves to IP address 172.67.196.75. It carries a Let's Encrypt SSL certificate and was created on April 01, 2026. This domain appears on one security blocklist and has been flagged by Google Safe Browsing under the SOCIAL_ENGINEERING category. Despite its recent creation date (which may be intentionally misleading), the combination of active phishing operations and multiple detection vectors confirms its malicious nature. Given the active status of kcexx280.com and its confirmed malicious operations, users should immediately block this domain and avoid any interaction with it. The presence of a valid SSL certificate combined with modern phishing tactics suggests this domain is designed to appear legitimate while executing crypto drainer attacks. PhishDestroy recommends verifying all domains purporting to represent KCEX or similar cryptocurrency services through official verification channels before engaging. Users who may have already interacted with this domain should immediately revoke any wallet connection permissions and transfer remaining assets to a secure, newly generated wallet address. Additionally, consider reporting this domain to relevant cryptocurrency platforms and security organizations to help prevent further victimization. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260422-50AFA8 Favicon MD5: 1d0706ce5aa1e2b9c39f541ca3906324 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/kcexx280.com/ JSON API: https://api.destroy.tools/v1/check?domain=kcexx280.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io