# PhishDestroy threat dossier — metamaskverifyweb3.com ================================================================ Fetched: 2026-06-27 15:15:51 UTC Canonical: https://phishdestroy.io/domain/metamaskverifyweb3.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: MetaMask Phishing kit: Verification Scam ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 21/91 security vendors flagged this domain Flagging vendors: ChainPatrol, Criminal IP, alphaMountain.ai, BitDefender, Certego, Chong Lua Dao, Cluster25, CRDF, CyRadar, ESET, Emsisoft, Fortinet, G-Data, Gridinsoft, Kaspersky, Lionic, MalwareURL, Netcraft, SOCRadar, Sophos, Webroot Public blocklists: listed on 4 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 176.123.0.199 (MD, Chisinau) ASN: ASAS200019 AlexHost ALEXHOST SRL, MD Hosting org: AS200019 ALEXHOST SRL Registrar: Hosting Concepts B.V. d/b/a Registrar.eu Nameservers: courtney.ns.cloudflare.com, guy.ns.cloudflare.com Registered: 2026-06-22 Expires: 2027-06-22 Page title: Wallet verification ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR2 Expires: 2026-09-20 Status: INVALID chain Fingerprint: fafd697b759f593436ee805c70191094f62a74b5d93eb9a53ed75f3a48553365 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-22 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-25 12:26:22 UTC (by PhishDestroy tracker) First reported: 2026-06-25 10:29:21 UTC (abuse notice filed) Last verified: 2026-06-27 16:20:35 UTC Neutralised: 2026-06-26 00:02:48 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019efe4f-d014-7693-8606-620226c5092f/ Wayback Machine: https://web.archive.org/web/*/metamaskverifyweb3.com crt.sh CT logs: https://crt.sh/?q=%25.metamaskverifyweb3.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=metamaskverifyweb3.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/metamaskverifyweb3.com URLhaus: https://urlhaus.abuse.ch/host/metamaskverifyweb3.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-25 17:22:39 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain is flagged as a high-risk credential harvesting site specifically designed to impersonate MetaMask, a widely used cryptocurrency wallet service. The threat type involves brand impersonation with the intent to harvest sensitive wallet credentials, seed phrases, and private keys from unsuspecting users through deceptive verification workflows. Analysis indicates the domain is engineered to exploit trust in the MetaMask brand, potentially leading to unauthorized asset transfers and irreversible financial losses. Infrastructure analysis reveals multiple high-confidence indicators of malicious activity. The domain was registered on June 22, 2026, through Hosting Concepts B.V. d/b/a Registrar.eu, and currently resolves to IP address 176.123.0.199 located in Moldova under AS200019 (ALEXHOST SRL). VirusTotal reports 20 out of 95 security vendors flagging the domain as malicious, while it appears on four distinct security blocklists including PhishDestroy, MetaMask's internal systems, SEAL, and Phishunt. The SSL certificate, issued by Let's Encrypt (serial YR2), provides basic encryption but does not validate legitimacy, as fraudulent sites commonly use free certificates to appear authentic. The domain remains active despite widespread detection, suggesting persistent operational intent. Mitigation requires immediate action from both end users and network defenders. Users should never enter wallet credentials, seed phrases, or private keys on any verification page, particularly those not hosted on the official metamask.io domain. Network-level protections should include DNS sinkholing for 176.123.0.199, AS200019 route filtering where feasible, and implementation of blocklist entries for the domain across security gateways. Organizations handling cryptocurrency transactions should deploy strict domain validation policies and educate users on recognizing impersonation attempts, focusing on URL inspection, SSL certificate details, and verification of official communication channels. Given the irreversible nature of cryptocurrency transactions, proactive blocking of this infrastructure is critical to prevent credential compromise and subsequent asset theft. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260625-739D3A Favicon MD5: 8fd12387bb3f31d397cda8869b46df8a TLS cert SHA-256: fafd697b759f593436ee805c70191094f62a74b5d93eb9a53ed75f3a48553365 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/metamaskverifyweb3.com/ JSON API: https://api.destroy.tools/v1/check?domain=metamaskverifyweb3.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 170,873 domains (12,737 alive under monitoring, 157,726 confirmed takedowns/dead). Site: https://phishdestroy.io