# PhishDestroy threat dossier — laundrycheck.xyz ================================================================ Fetched: 2026-07-14 05:34:40 UTC Canonical: https://phishdestroy.io/domain/laundrycheck.xyz/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Investment Scam Targeted brand: AML Scam Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 2/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 3/91 security vendors flagged this domain Flagging vendors: Forcepoint ThreatSeeker, Gridinsoft, SOCRadar AlienVault OTX: 1 pulses (threat-intel feed mentions) Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.67.134.40 (US, San Francisco) ASN: ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US Hosting org: AS13335 Cloudflare, Inc. Registrar: NameSilo, LLC !!! REGISTRAR INTEGRITY ALERT — NameSilo !!! NameSilo is a registrar documented by PhishDestroy as (1) publicly lying about received abuse reports, (2) shielding a $20M+ Monero-theft operation (xmrwallet.com) for 10 continuous years, and (3) retaliating against PhishDestroy by getting our X/Twitter account @Phish_Destroy banned after we published the evidence. Researchers/victims must ALWAYS CC compliance@icann.org on every abuse ticket — NameSilo has a track record of later claiming reports were never received. Primary sources: https://phishdestroy.io/namesilo-killed-our-twitter https://phishdestroy.io/xmrwallet-namesilo-exposed Nameservers: patrick.ns.cloudflare.com, suzanne.ns.cloudflare.com Registered: 2026-07-04 Expires: 2027-07-04 Page title: Unlock Finance Success with AMLTestWallet & AMLCheck 2! HTTP response: 502 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: none Status: INVALID chain ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-07-04 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-05 16:07:17 UTC (by PhishDestroy tracker) Last verified: 2026-07-14 04:20:38 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f3299-ffaa-70fc-b968-d36ca54fe525/ Wayback Machine: https://web.archive.org/web/*/laundrycheck.xyz crt.sh CT logs: https://crt.sh/?q=%25.laundrycheck.xyz Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=laundrycheck.xyz AlienVault OTX: https://otx.alienvault.com/indicator/domain/laundrycheck.xyz URLhaus: https://urlhaus.abuse.ch/host/laundrycheck.xyz/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-05 16:14:32 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, laundrycheck.xyz, poses a targeted brand impersonation threat against users of AMLCheck and related cryptocurrency wallet services. Analysis of the page content reveals a fraudulent interface titled 'Unlock Finance Success with AMLTestWallet & AMLCheck 2!', designed to deceive victims into interacting with a counterfeit wallet portal. The site employs social engineering tactics, likely aiming to harvest credentials or facilitate unauthorized transactions, consistent with crypto drainer or wallet hijacking schemes. The presence of technologies such as SweetAlert2 and jsDelivr suggests the use of dynamic, interactive elements to enhance the illusion of legitimacy and manipulate user actions. Infrastructure analysis reveals multiple technical indicators supporting the elevated risk assessment. The domain was registered on July 04, 2024, through NameSilo, LLC, a registrar frequently observed in fraudulent campaigns. It resolves to the IP address 172.67.134.40, hosted behind Cloudflare, which is commonly leveraged to obfuscate origin servers and evade detection. Detection metrics show limited but concerning coverage, with only 1 of 95 security vendors on VirusTotal flagging the domain as malicious. Additionally, the domain appears in one threat intelligence pulse on AlienVault OTX, further corroborating its association with active malicious activity. The SSL certificate is issued by Google Trust Services, providing a veneer of security while the underlying infrastructure remains compromised. Users who have visited laundrycheck.xyz or interacted with its content are advised to take immediate corrective actions. Any credentials, recovery phrases, or private keys entered on the site should be considered compromised and revoked immediately. Affected individuals should disconnect all active sessions from legitimate wallet services, monitor transaction histories for unauthorized activity, and rotate credentials for associated accounts. Browser data, including cookies and cached content, should be cleared to eliminate residual tracking mechanisms. If cryptocurrency transactions were initiated, users should report the incident to relevant blockchain analysis platforms and law enforcement authorities to assist in tracking stolen assets. Proactive monitoring of financial and identity-related services is recommended to detect potential follow-up exploitation. ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/laundrycheck.xyz/ JSON API: https://api.destroy.tools/v1/check?domain=laundrycheck.xyz Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,337 domains (50,014 alive under monitoring, 128,323 confirmed takedowns/dead). Site: https://phishdestroy.io