# PhishDestroy threat dossier — m.trustwallet-web3.com.cn ================================================================ Fetched: 2026-06-27 13:54:31 UTC Canonical: https://phishdestroy.io/domain/m.trustwallet-web3.com.cn/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: Trust Wallet Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 2/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 9/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, ChainPatrol, Chong Lua Dao, CRDF, CyRadar, Fortinet, Gridinsoft, SOCRadar, Webroot URLQuery: 2 detections Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 216.118.243.67 (HK, Lai Chi Kok) ASN: AS45753 Netsec Limited Hosting org: Simcentric Solutions Limited. Registrar: 邦宁数字技术股份有限公司 Nameservers: ns1.judns.com, ns2.judns.com Registered: 2025-04-11 Page title: 网站维护中 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-07-09 Status: INVALID chain Fingerprint: f2408465c64ee5028ceba8f3f53f29a917900a55716ae54d159104165ef15fac Subject Alternative Names (related infrastructure — often same operator): - trustwallet-web3.com.cn - www.trustwallet-web3.com.cn ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2025-04-11 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-06 13:48:56 UTC (by PhishDestroy tracker) First reported: 2026-05-06 10:50:40 UTC (abuse notice filed) Last verified: 2026-06-27 12:20:35 UTC Neutralised: 2026-05-11 12:44:38 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dfce5-e2b1-72b6-b39a-e6b04396244f/ URLQuery: https://urlquery.net/report/b608698e-025d-4a20-8793-2a790d5b3300 Wayback Machine: https://web.archive.org/web/*/m.trustwallet-web3.com.cn crt.sh CT logs: https://crt.sh/?q=%25.m.trustwallet-web3.com.cn Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=m.trustwallet-web3.com.cn AlienVault OTX: https://otx.alienvault.com/indicator/domain/m.trustwallet-web3.com.cn URLhaus: https://urlhaus.abuse.ch/host/m.trustwallet-web3.com.cn/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-26 05:57:46 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, m.trustwallet-web3.com.cn, is identified as a brand impersonation threat specifically targeting Trust Wallet, a widely used cryptocurrency wallet platform. The site is designed to deceive users into believing they are interacting with legitimate Trust Wallet services, potentially leading to unauthorized access to wallet credentials, seed phrases, or direct crypto asset theft. Brand impersonation in the cryptocurrency sector is particularly dangerous due to the irreversible nature of blockchain transactions, making recovery of stolen funds nearly impossible. The domain employs visual and structural mimicry of Trust Wallet’s official interfaces, including logos, color schemes, and web layouts, to lower user vigilance and increase the likelihood of successful exploitation. Infrastructure analysis reveals multiple high-confidence indicators of malicious activity. The domain was registered on April 11, 2025, through 邦宁数字技术股份有限公司, a registrar frequently associated with fraudulent domains. It resolves to the IP address 216.118.234.67 and is hosted on an Apache HTTP Server. Security vendors have flagged the domain with a VirusTotal detection ratio of 9/95, indicating broad consensus among threat intelligence providers regarding its malicious nature. Additionally, the domain appears on three independent security blocklists and is actively blocked by multiple browser-based security extensions. The SSL certificate, issued by Let’s Encrypt, is valid but does not mitigate the domain’s fraudulent intent, as threat actors commonly use legitimate certificates to lend false credibility to phishing sites. The page title, displayed as 网站维护中 (translated as “Website Under Maintenance”), is a common tactic to explain missing or incomplete content while maintaining the illusion of legitimacy. Users who have visited m.trustwallet-web3.com.cn should assume their wallet credentials or seed phrases may have been compromised. Immediate action is required: disconnect all active sessions from the site, revoke any connected wallet permissions, and transfer assets to a new wallet using a clean device. Monitor all linked accounts for unauthorized transactions and enable multi-factor authentication where available. If any sensitive information was entered, consider the original wallet permanently compromised. Report the domain to relevant security teams and blocklists to aid in broader threat mitigation. Given the domain’s current offline status, users should remain vigilant for similar impersonation attempts, as threat actors often rotate infrastructure to evade detection. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260506-7383CC Favicon MD5: e755d2d8786b26e754eb686728678be7 TLS cert SHA-256: f2408465c64ee5028ceba8f3f53f29a917900a55716ae54d159104165ef15fac ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/m.trustwallet-web3.com.cn/ JSON API: https://api.destroy.tools/v1/check?domain=m.trustwallet-web3.com.cn Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 170,870 domains (12,734 alive under monitoring, 157,726 confirmed takedowns/dead). Site: https://phishdestroy.io