# PhishDestroy threat dossier — meteora-home.xyz ================================================================ Fetched: 2026-05-26 06:03:17 UTC Canonical: https://phishdestroy.io/domain/meteora-home.xyz/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Airdrop Scam Targeted brand: Airdrop Scam Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 2/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 5/94 security vendors flagged this domain Flagging vendors: CyRadar, Forcepoint ThreatSeeker, G-Data, Google Safebrowsing, SOCRadar URLQuery: 2 detections Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 104.21.30.241 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: OwnRegistrar, Inc. Nameservers: ligia.ns.cloudflare.com, null, steven.ns.cloudflare.com Registered: 2026-04-12 Page title: Claim Airdrop - Meteora HTTP response: 530 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-05-13 Status: INVALID chain Fingerprint: e325e1e42e524bad2a0c9ec479e329dd519b6e994b1d7b712023a08124224408 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-12 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-12 15:57:12 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-04-12 12:57:38 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-05-26 07:34:20 UTC Neutralised: 2026-05-14 06:10:26 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019d81c3-6352-762a-ac11-43bd7f4b3e18/ URLQuery: https://urlquery.net/report/488d42ec-ec68-4dbe-9c91-9bc1289a12be Wayback Machine: https://web.archive.org/web/*/meteora-home.xyz crt.sh CT logs: https://crt.sh/?q=%25.meteora-home.xyz Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=meteora-home.xyz AlienVault OTX: https://otx.alienvault.com/indicator/domain/meteora-home.xyz URLhaus: https://urlhaus.abuse.ch/host/meteora-home.xyz/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-12 15:57:45 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies meteora-home.xyz as an active generic phishing domain currently under investigation by security analysts. This domain poses a direct threat to users through impersonation tactics, likely targeting unsuspecting victims to harvest credentials or sensitive data. The absence of a recognized brand association suggests opportunistic fraud rather than targeted brandjacking, though further analysis may reveal disguised affiliations. No drainer kit signatures have been confirmed at this stage, but the domain's infrastructure is consistent with phishing operations designed for rapid deployment and evasion of detection mechanisms. meteora-home.xyz exhibits several technical indicators flagged by PhishDestroy's automated pipeline. The domain was registered through OwnRegistrar, Inc. on October 17, 2025, and resolves to IP 104.21.30.241. It utilizes a Google Trust Services SSL certificate, which does not guarantee legitimacy in this context. VirusTotal currently reports 0 detections out of 95 scanners, indicating a low profile on established threat intelligence feeds. The domain remains unlisted on major blocklists, including Google Safe Browsing, at the time of this report. These factors suggest a recently deployed infrastructure with minimal prior exposure to automated scanning systems. As of this analysis, meteora-home.xyz maintains an active status with a risk level classified as under_investigation. Security teams have not yet deployed countermeasures such as DNS sinkholing or takedown requests due to the domain's recent creation and low detection footprint. Users are advised to exercise extreme caution when encountering this domain, as it may serve as a vector for credential harvesting or malware distribution. Immediate steps include blocking the domain at the network level, reporting the URL to threat intelligence platforms, and warning end users to avoid interaction. The residual risk remains elevated until further intelligence emerges or enforcement actions are executed, particularly given the domain's clean SSL certificate and unflagged status. Proactive monitoring of IP 104.21.30.241 and associated domains is recommended to preempt additional malicious activity. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260412-5EA582 Favicon MD5: 9f97a59a7945966525778f616dcd4c25 TLS cert SHA-256: e325e1e42e524bad2a0c9ec479e329dd519b6e994b1d7b712023a08124224408 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/meteora-home.xyz/ JSON API: https://api.destroy.tools/v1/check?domain=meteora-home.xyz Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 153,839 domains (38,093 alive under monitoring, 114,013 confirmed takedowns/dead). Site: https://phishdestroy.io