# PhishDestroy threat dossier — libertywsap.finance ================================================================ Fetched: 2026-04-22 14:11:55 UTC Canonical: https://phishdestroy.io/domain/libertywsap.finance/ ## VERDICT ---------------------------------------------------------------- STATUS STALE — last probed 22 days ago, treat as ACTIVE until re-verified Composite threat score: 89/100 (PhishDestroy scoring — see methodology below) Scam classification: cryptocurrency Targeted brand: WalletConnect Wallet drainer: Wallet Connect Abuse ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 2/95 security vendors flagged this domain Flagging vendors: Fortinet, Seclookup Public blocklists: listed on 1 independent blocklist Victim re-reports (public form): 1 ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 101.99.76.141 (NL, Dronten) ASN: ASAS45839 SHINJIRU-MY-AS-AP Shinjiru Technology Sdn Bhd, MY Hosting org: AS45839 Shinjiru Technology Sdn Bhd Registrar: SHINJIRU-MY (ASN: 45839) Nameservers: 1-you.njalla.no, 2-can.njalla.in, 3-get.njalla.fo Page title: Liberty Swap HTTP response: 403 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R13 Expires: 2026-04-29 Status: INVALID chain Fingerprint: 02ae87470f205ec1d4952f5c7d20dc0aef6fd68703c1962229deb168d19e61dd ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-02-25 02:39:27 UTC (by PhishDestroy tracker) First reported: 2025-09-27 09:38:57 UTC (abuse notice filed) Last verified: 2026-03-31 00:49:31 UTC (STALE — 22 days ago, re-verify) Flagged dead: 2026-03-05 01:08:52 UTC (NOT RE-VERIFIED IN 22 DAYS — treat as unconfirmed) Current status: UNCONFIRMED (our live-probe is 22 days stale) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/01998a89-a1f7-77af-89de-7ea505ef6944/ Wayback Machine: https://web.archive.org/web/*/libertywsap.finance crt.sh CT logs: https://crt.sh/?q=%25.libertywsap.finance Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=libertywsap.finance AlienVault OTX: https://otx.alienvault.com/indicator/domain/libertywsap.finance URLhaus: https://urlhaus.abuse.ch/host/libertywsap.finance/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-03-03 02:30:09 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies libertywsap.finance as a low-risk but active crypto drainer targeting cryptocurrency users. Operating under the guise of 'Liberty Swap,' this domain leverages a Wallet Connect abuse drainer kit designed to illicitly siphon funds from victims' wallets. Although not highly pervasive, it poses a tangible threat to those engaging with the platform. The domain resolves to IP address 101.99.76.141 and is registered through SHINJIRU-MY (ASN 45839). It currently appears on one security blocklist and has been flagged by two security vendors on VirusTotal, indicating some level of detection but continued activity. The infrastructure suggests a relatively low-profile operation aiming to exploit users via wallet connection vulnerabilities. Users are strongly advised to avoid libertywsap.finance and any related URLs or wallet connection prompts originating from this domain. Cryptocurrency holders should verify transaction requests carefully and employ hardware wallets or trusted interfaces to mitigate risk. Staying vigilant against unauthorized wallet access is crucial to preventing potential asset loss linked to this threat. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon SHA-256: 0de0c5cb87f75cda5269ee13fc4f5700bf00a486216c387c6bb9c1b765affe7e TLS cert SHA-256: 02ae87470f205ec1d4952f5c7d20dc0aef6fd68703c1962229deb168d19e61dd ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/libertywsap.finance/ JSON API: https://api.destroy.tools/v1/check?domain=libertywsap.finance Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io