# PhishDestroy threat dossier — luckymusk.com ================================================================ Fetched: 2026-04-21 19:29:49 UTC Canonical: https://phishdestroy.io/domain/luckymusk.com/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Survey/Prize Scam Targeted brand: Crypto Casino / Gambling Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 5/94 security vendors flagged this domain Flagging vendors: Forcepoint ThreatSeeker, G-Data, Kaspersky, SOCRadar, Sophos URLQuery: 2 detections ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.96.3 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: CloudFlare, Inc. Registrar: CNOBIN INFORMATION TECHNOLOGY LIMITED Nameservers: ["chance.ns.cloudflare.com", "jen.ns.cloudflare.com"] Registered: 2026-04-13 Page title: Luckymusk: Elon Musk’s Official Crypto Casino Powered by Blockchain HTTP response: 530 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E8 Expires: 2026-05-24 Status: INVALID chain Fingerprint: 55a2b9d9c43f0116fe2d0b062ca016e10c09649365432715577bd0e02b1a8a8b ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: REPORTS FILED AND IGNORED — CNOBIN INFORMATION TECHNOLOGY LIMITED did not act on these notifications. Domain still online. Reports filed: 1 independent abuse notifications First report: 2026-04-13 07:23:20 UTC Days since first notice: 8 — no registrar action, domain remains online Methodology: follow-up reports are sent ONLY when a victim re-submitted a re-report via our public form, our monitoring detected the domain resurfacing in SEO/feeds, OR our live-checker confirmed the domain is still technically active and fraudulent. Each report contains: VT verdict, URLScan snapshot, WHOIS, SSL metadata, IP/hosting chain, impersonated-brand evidence, drainer/kit classification, screenshots, and a cryptographic hash of the forensic PDF. ICANN RAA Sec. 3.18 applies. Per-report timeline: https://phishdestroy.io/domain/luckymusk.com/#coordinated-suppression ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-13 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-13 07:22:08 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-04-13 04:23:03 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-04-21 20:12:04 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019d8512-2909-753c-9ea5-a898aeb5aaba/ URLQuery: https://urlquery.net/report/1bacd082-6956-4f47-9d71-c1a6c6076c36 Wayback Machine: https://web.archive.org/web/*/luckymusk.com crt.sh CT logs: https://crt.sh/?q=%25.luckymusk.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=luckymusk.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/luckymusk.com URLhaus: https://urlhaus.abuse.ch/host/luckymusk.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-13 07:23:06 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies luckymusk.com as a live Musk-branded phishing domain currently under active investigation for hosting a fraudulent crypto giveaway scam designed to harvest wallet credentials and seed phrases. The threat type is generic_phishing with no confirmed drainer kit attribution at this stage, but the site mimics Elon Musk’s branding to deceive users into connecting wallets or submitting private keys. The domain appears to be a newly established trap, registered through CNOBIN INFORMATION TECHNOLOGY LIMITED, with no prior reputation or established infrastructure. This domain exhibits multiple technical red flags: it carries a valid Let’s Encrypt SSL certificate, resolving cleanly to IP 188.114.96.3, and was created on February 23, 2026. VirusTotal currently shows 0/95 detections, indicating it remains undetected by most antivirus engines as of seed 1a8a38. Google Safe Browsing (GSB) status is not flagged, and no public blocklists currently include it. The domain’s newness and clean VT score suggest it is either newly deployed or carefully crafted to evade detection during its initial campaign phase. As of this report, luckymusk.com remains active and poses a moderate but evolving risk. Immediate user action is required: avoid visiting the site, do not connect wallets, and report any encountered links. Security teams should block the domain at the network perimeter and monitor for associated wallet addresses. While the risk level is currently marked as 'under_investigation,' the lack of detections and active status warrant heightened caution. Users are advised to verify URLs via official channels and enable transaction simulation tools before signing any crypto transactions. Remaining risk is assessed as 'active' and likely to increase as the campaign matures. [Updates since narrative was generated:] - VirusTotal detections: now 5/94 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260413-F2A3EC Favicon MD5: 936386e361020ac6bcebbcc772491fbb TLS cert SHA-256: 55a2b9d9c43f0116fe2d0b062ca016e10c09649365432715577bd0e02b1a8a8b ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/luckymusk.com/ JSON API: https://api.destroy.tools/v1/check?domain=luckymusk.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io