# PhishDestroy threat dossier — mekasa.pro ================================================================ Fetched: 2026-07-09 05:08:55 UTC Canonical: https://phishdestroy.io/domain/mekasa.pro/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 72/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 25/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, BitDefender, Certego, Chong Lua Dao, Cluster25, CRDF, CyRadar, Dr.Web, ESET, Emsisoft, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, Lionic, Lumu, MalwareURL, Netcraft, PrecisionSec, Seclookup, SOCRadar, Sophos, URLQuery, Webroot Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 104.21.23.171 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: Global Domain Group LLC Nameservers: amy.ns.cloudflare.com, bob.ns.cloudflare.com Registered: 2026-07-05 Expires: 2027-07-05 Page title: Terms of Service ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-10-03 Status: INVALID chain Fingerprint: 3a5007f3d872140f8feee920b62aece108241b69fb9834b1726b9d5baaba8c40 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-07-05 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-08 20:50:34 UTC (by PhishDestroy tracker) Last verified: 2026-07-09 04:20:52 UTC Neutralised: 2026-07-09 00:17:16 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f4310-8f82-756b-9bfe-a20ebd413437/ Wayback Machine: https://web.archive.org/web/*/mekasa.pro crt.sh CT logs: https://crt.sh/?q=%25.mekasa.pro Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=mekasa.pro AlienVault OTX: https://otx.alienvault.com/indicator/domain/mekasa.pro URLhaus: https://urlhaus.abuse.ch/host/mekasa.pro/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-08 20:55:43 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, mekasa.pro, is flagged as an active credential theft operation targeting users through deceptive login portals. Analysis indicates the site mimics legitimate service agreements or account verification pages, a common tactic to harvest usernames, passwords, and other sensitive credentials. While no specific brand impersonation or crypto drainer kit has been conclusively identified, the infrastructure and behavioral patterns align with credential harvesting campaigns. The page title, Terms of Service, is frequently used as a disguise to lower user suspicion and increase the likelihood of successful data exfiltration. Infrastructure analysis reveals multiple high-confidence technical indicators. The domain is registered through Global Domain Group LLC and resolves to the IP address 104.21.23.171, a network segment often associated with bulletproof hosting providers. The domain was created on July 05, 2026, an anomalous future date suggesting potential registration data manipulation or system clock tampering. VirusTotal reports 25 out of 95 security vendors flagging the domain as malicious, while it appears on two security blocklists: MalwareFilter and Hagezi. The SSL certificate is issued by Google Trust Services, which, while legitimate, does not mitigate the underlying malicious intent of the domain. As of the latest assessment, mekasa.pro remains active and unremediated, posing a continued risk to users. The domain has not been added to the Google Safe Browsing database, meaning standard browser protections may not trigger warnings. Users are advised to avoid all interaction with the domain and any associated links. Organizations should update web filters to block the domain and its resolving IP address. Given the persistent activity and lack of takedown, the risk level remains high, particularly for individuals or entities that may be targeted for credential-based attacks. Proactive monitoring of network traffic for connections to 104.21.23.171 is recommended to detect potential compromise. ## EVIDENCE HASHES ---------------------------------------------------------------- TLS cert SHA-256: 3a5007f3d872140f8feee920b62aece108241b69fb9834b1726b9d5baaba8c40 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/mekasa.pro/ JSON API: https://api.destroy.tools/v1/check?domain=mekasa.pro Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 176,446 domains (40,862 alive under monitoring, 135,561 confirmed takedowns/dead). Site: https://phishdestroy.io