# PhishDestroy threat dossier — monoprotocol.online
================================================================

Fetched:   2026-06-25 00:09:20 UTC
Canonical: https://phishdestroy.io/domain/monoprotocol.online/

## VERDICT
----------------------------------------------------------------
TAKEN DOWN (neutralised)
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      7/91 security vendors flagged this domain
URLQuery:        3 detections
Public blocklists: listed on 3 independent blocklists

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      147.45.177.55 (CA, Toronto)
ASN:             AS215540 GLOBAL CONNECTIVITY SOLUTIONS LLP
Hosting org:     Global Connectivity Solutions LLP
Registrar:       Unstoppable Domains Inc.
Nameservers:     harlee.ns.cloudflare.com, sonny.ns.cloudflare.com
Registered:      2025-11-23
Page title:      Mono Protocol Presale Claim

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / R13
Expires:    2026-06-21
Status:     INVALID chain
Fingerprint: c0433620cac6be9db2b19fda8259370c4b95ccd51c0156bb7c0665a52a64238d

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: CLOSED — no report required.
This domain was neutralised before the abuse-report cycle could be dispatched — either
the hosting provider / registrar suspended it on their own, the DNS went dead, or the
operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file
for audit but no formal notice was sent.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2025-11-23 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-05-07 01:50:43 UTC (by PhishDestroy tracker)
First reported:    2026-05-06 22:51:36 UTC (abuse notice filed)
Last verified:     2026-06-25 00:20:44 UTC
Neutralised:       2026-06-06 17:31:40 UTC
Current status:    taken down (registrar suspended or DNS dead)

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019dff7b-85b5-7228-96a4-f99233483924/
URLQuery:         https://urlquery.net/report/b3f4eeb9-5beb-4486-be11-a9348b68f2f7
Wayback Machine:  https://web.archive.org/web/*/monoprotocol.online
crt.sh CT logs:   https://crt.sh/?q=%25.monoprotocol.online
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=monoprotocol.online
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/monoprotocol.online
URLhaus:          https://urlhaus.abuse.ch/host/monoprotocol.online/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-05-07 01:51:15 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies monoprotocol.online as an active crypto drainer scam under evaluation for credential theft and fund misappropriation. This domain, registered through Unstoppable Domains Inc. on November 23, 2025, resolves to IP 147.45.177.55 and leverages a Let's Encrypt SSL certificate to appear legitimate. Current VirusTotal scans show 0 detections out of 95 engines, indicating evasion of automated detection systems, while blocklist status remains unconfirmed. The domain's recent creation and low detection rate suggest a rapidly deployed threat designed to exploit trust in crypto protocols.  This domain exhibits multiple indicators of malicious intent. Technical analysis reveals a registration timestamp of November 23, 2025, through Unstoppable Domains Inc., a registrar often exploited for anonymity. The domain resolves to IP 147.45.177.55, hosted on infrastructure associated with low trust scores across multiple threat intelligence platforms. The use of a Let's Encrypt SSL certificate enhances its appearance of legitimacy, while the absence of detections on VirusTotal (0/95) highlights the sophistication of its evasion techniques. Given its active status and alignment with crypto drainer tactics, monoprotocol.online poses an immediate risk to users interacting with decentralized finance platforms.  To mitigate exposure to this threat, users must avoid interacting with any links or content from monoprotocol.online, including wallet connection prompts or transaction approval requests. Crypto holders should verify URLs through official project channels and implement multi-factor authentication on all wallets. Network administrators are advised to block IP 147.45.177.55 and the domain at the firewall level, while security teams should monitor for TLS certificate requests from Let's Encrypt associated with this domain. Immediate reporting to crypto fraud databases and local cybercrime units is critical to disrupt further operations.

[Updates since narrative was generated:]
  - VirusTotal detections: now 7/91 (narrative was written when count was lower)

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260506-C8E2DC
Favicon MD5:       fafaaae1a9f39c6d85756bb6f281a6a1
TLS cert SHA-256:      c0433620cac6be9db2b19fda8259370c4b95ccd51c0156bb7c0665a52a64238d

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/monoprotocol.online/
JSON API:          https://api.destroy.tools/v1/check?domain=monoprotocol.online
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 169,553 domains (15,675 alive under monitoring, 153,512 confirmed takedowns/dead). Site: https://phishdestroy.io