# PhishDestroy threat dossier — koinlyte.com ================================================================ Fetched: 2026-07-12 18:40:30 UTC Canonical: https://phishdestroy.io/domain/koinlyte.com/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 87/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/95 security vendors flagged this domain Flagging vendors: Ermes Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 185.66.143.35 (NL, Amsterdam) ASN: AS200514 KnownSRV Ltd. Hosting org: KnownSRV Ltd Registrar: TuringSign Inc. d/b/a Cosmotown Nameservers: ns19.knownsrv.com, ns20.knownsrv.com Registered: 2026-06-21 Expires: 2027-06-21 Page title: Koinlyte ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR2 Expires: 2026-09-19 Status: INVALID chain Fingerprint: eefd6cdc800f51a93d92c541a10cf22a2251f42b8b0d80a94d33d297f567e28b Subject Alternative Names (related infrastructure — often same operator): - koinlyte.com.fastlinegroupplc.com - www.koinlyte.com.fastlinegroupplc.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-21 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-12 16:17:35 UTC (by PhishDestroy tracker) Last verified: 2026-07-12 20:30:14 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f56b0-6860-71fd-ab6a-430bc81f1673/ Wayback Machine: https://web.archive.org/web/*/koinlyte.com crt.sh CT logs: https://crt.sh/?q=%25.koinlyte.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=koinlyte.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/koinlyte.com URLhaus: https://urlhaus.abuse.ch/host/koinlyte.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-12 16:48:23 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, koinlyte.com, is flagged as a high-risk cryptocurrency phishing site. Analysis indicates it was registered on June 21, 2026, through TuringSign Inc. d/b/a Cosmotown, a registrar frequently associated with newly created malicious domains. The domain currently resolves to the IP address 185.66.143.35, which has been linked to other phishing infrastructure in recent threat intelligence reports. While the exact phishing kit or targeted brand remains unverified, the domain is actively blocked by at least one security vendor and appears on a single blocklist, suggesting early-stage detection rather than widespread recognition. Infrastructure review reveals the use of a Let's Encrypt SSL certificate, a common tactic among threat actors to create a false sense of legitimacy. The certificate does not provide meaningful attribution, as Let's Encrypt is widely used for both legitimate and malicious purposes. VirusTotal data shows that only 1 out of 95 security vendors currently flags this domain, indicating limited visibility or recent activation. The discrepancy between the high-risk classification and low detection rate may reflect either a new campaign or a targeted operation with limited exposure. Defenders should treat this domain as an active threat. Network-level blocking of 185.66.143.35 and koinlyte.com is recommended, particularly for organizations handling cryptocurrency transactions or user credentials. Monitoring for connections to this IP or domain should be prioritized, with alerts triggered for any outbound requests. Given the domain's recent registration date and low detection rate, additional scrutiny of related infrastructure—such as co-hosted domains or adjacent IPs—may uncover further malicious activity. No evidence suggests this is part of a broader campaign, but the high-risk classification warrants immediate containment measures. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: cef546076d4363272157c13bdf6fd52b TLS cert SHA-256: eefd6cdc800f51a93d92c541a10cf22a2251f42b8b0d80a94d33d297f567e28b ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/koinlyte.com/ JSON API: https://api.destroy.tools/v1/check?domain=koinlyte.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 177,874 domains (49,621 alive under monitoring, 128,253 confirmed takedowns/dead). Site: https://phishdestroy.io