# PhishDestroy threat dossier — m.trustwalletloz.com ================================================================ Fetched: 2026-05-07 05:59:14 UTC Canonical: https://phishdestroy.io/domain/m.trustwalletloz.com/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: Trust Wallet Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: redirect_split) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/95 security vendors flagged this domain ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 35.173.253.72 Registrar: Gname.com Pte. Ltd. Nameservers: a6.share-dns.com, b6.share-dns.net Registered: 2025-10-29 HTTP response: 200 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2025-10-29 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-07 05:43:49 UTC (by PhishDestroy tracker) Last verified: 2026-05-07 07:50:04 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e0050-79aa-72ed-b5ce-f80d2ee16c5f/ Wayback Machine: https://web.archive.org/web/*/m.trustwalletloz.com crt.sh CT logs: https://crt.sh/?q=%25.m.trustwalletloz.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=m.trustwalletloz.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/m.trustwalletloz.com URLhaus: https://urlhaus.abuse.ch/host/m.trustwalletloz.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-07 05:45:02 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies an active phishing site mimicking Trust Wallet at m.trustwalletloz.com. The page claims to be a ‘mobile wallet portal’ but is engineered to harvest seed phrases and wallet passwords from unwary users. Visitors who enter recovery phrases or private keys risk immediate loss of funds, as the site’s operators can drain connected wallets in minutes. There are no legitimate Trust Wallet URLs that begin with m.trustwalletloz.com; the brand only uses trustwallet.com and wallet.trustwallet.com for official endpoints. This domain was flagged by PhishDestroy after VirusTotal analysis showed 0 detections out of 95 scanners on October 29, 2025, the same day the domain was registered. The registrar is Gname.com Pte. Ltd. and the site uses a Let’s Encrypt SSL certificate to appear trustworthy. The infrastructure resolves to IP address 35.173.253.72, which should be blocked at the firewall or DNS level to prevent further visits. If you visited m.trustwalletloz.com, assume your wallet recovery phrase or private key may have been compromised. Immediately move all funds to a new wallet created on a clean device, enable hardware wallet protection where possible, and revoke all token approvals via tools like revoke.cash. Rotate any reused passwords and enable two-factor authentication on all crypto accounts. Report the domain to your antivirus vendor and to the official Trust Wallet security team so others can be warned. ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/m.trustwalletloz.com/ JSON API: https://api.destroy.tools/v1/check?domain=m.trustwalletloz.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 146,667 domains (58,438 alive under monitoring, 87,955 confirmed takedowns/dead). Site: https://phishdestroy.io