# PhishDestroy threat dossier — ktxp.httvd.com ================================================================ Fetched: 2026-04-22 18:41:54 UTC Canonical: https://phishdestroy.io/domain/ktxp.httvd.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 93/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 22/94 security vendors flagged this domain Flagging vendors: alphaMountain.ai, Fortinet, Seclookup, Webroot URLQuery: 3 detections ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 43.169.25.95 (CN, Haidian) ASN: AS139341 ACE Hosting org: Tencent Cloud Computing (Beijing) Co., Ltd Registrar: West263 International Limited Nameservers: ns1.teodns.com, ns2.teodns.com Registered: 2026-04-02 Page title: imToken 官网|以太坊和比特币区块链钱包 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-07-11 Status: INVALID chain Fingerprint: 1c55d816656ff240344958c2569f45f601e1ef5c514ebbb7985cd3b2f363753b Subject Alternative Names (related infrastructure — often same operator): - httvd.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-02 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-21 03:17:54 UTC (by PhishDestroy tracker) First reported: 2026-04-21 00:18:29 UTC (abuse notice filed) Last verified: 2026-04-22 13:40:12 UTC Neutralised: 2026-04-21 22:05:43 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dad65-0a6c-75af-bb63-1e6d7299d3f7/ URLQuery: https://urlquery.net/report/fc01852c-b3f6-4683-be42-b57a3c02eacd Wayback Machine: https://web.archive.org/web/*/ktxp.httvd.com crt.sh CT logs: https://crt.sh/?q=%25.ktxp.httvd.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=ktxp.httvd.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/ktxp.httvd.com URLhaus: https://urlhaus.abuse.ch/host/ktxp.httvd.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-21 03:18:36 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies ktxp.httvd.com as an active crypto drainer phishing domain with an elevated risk profile. This domain is engineered to deceive cryptocurrency users by impersonating legitimate platforms or services, with the explicit goal of draining digital assets from unsuspecting victims. The threat actor leverages social engineering tactics, such as fake airdrop campaigns, fraudulent wallet integrations, or spoofed exchange interfaces, to trick users into connecting their wallets or signing malicious transactions. Given the domain’s recent creation, minimal detection coverage, and infrastructure choices, the risk of successful exploitation remains high, particularly in environments where users interact with crypto-related services. This domain was flagged by PhishDestroy after analysis revealed multiple red flags. VirusTotal reports that 4 out of 95 security vendors have detected malicious activity associated with ktxp.httvd.com, indicating poor detection coverage and a high likelihood of evading automated defenses. The domain resolves to IP address 43.169.25.95, which shows no legitimate association with reputable services and has been linked to previous phishing campaigns. The SSL certificate, issued by Let’s Encrypt, provides a false sense of security by appearing legitimate, while the domain was registered through West263 International Limited—a registrar known for anonymity and abuse tolerance. Notably, ktxp.httvd.com was created on April 02, 2026, suggesting a recent and likely opportunistic campaign. Additional telemetry indicates that the domain has not yet been widely blocked by major threat intelligence platforms, further increasing its potential reach and impact. To mitigate the threat posed by ktxp.httvd.com, organizations and individual users must take immediate action. Block the domain at the network level using DNS filtering, endpoint protection, or firewall rules to prevent access. Users should avoid interacting with any links, advertisements, or emails referencing this domain, as it may lead to wallet compromise or credential theft. For cryptocurrency users, enable transaction simulation tools or hardware wallet confirmations to detect suspicious outgoing transfers. If the domain is encountered in the context of a crypto-related service, report it to the legitimate platform being impersonated and submit the domain to threat intelligence platforms like VirusTotal for broader dissemination. Finally, ensure all wallet software and browser extensions are updated to the latest versions, as threat actors often exploit outdated software to deliver drainer scripts. Proactive monitoring of blockchain transactions for unauthorized activity is strongly recommended to detect and reverse potential thefts. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260421-BD9E9B Favicon MD5: 4f4d924fcafc32c3a2b20e9eb1f74163 TLS cert SHA-256: 1c55d816656ff240344958c2569f45f601e1ef5c514ebbb7985cd3b2f363753b ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/ktxp.httvd.com/ JSON API: https://api.destroy.tools/v1/check?domain=ktxp.httvd.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io