# PhishDestroy threat dossier — moonshot-coins.fun
================================================================

Fetched:   2026-04-20 18:37:33 UTC
Canonical: https://phishdestroy.io/domain/moonshot-coins.fun/

## VERDICT
----------------------------------------------------------------
ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Moonshot
Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: redirect_split) (score: 2/6)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      2/95 security vendors flagged this domain
  Flagging vendors: alphaMountain.ai, SOCRadar
Public blocklists: listed on 1 independent blocklist

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      172.67.134.245
Registrar:       PDR Ltd. d/b/a PublicDomainRegistry.com
Nameservers:     bryce.ns.cloudflare.com, mina.ns.cloudflare.com
Registered:      2026-04-17
Page title:      Pump
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E8
Expires:    2026-07-16
Status:     INVALID chain
Fingerprint: f902b6897672773c36104367c0b0c6169eb578b985ba08253b4dfacd8401b13b

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-17 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-20 16:05:16 UTC (by PhishDestroy tracker)
Last verified:     2026-04-20 19:50:04 UTC
Current status:    ACTIVE — cloaked behind HTTP 666 to evade scanners

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019daafb-f358-751e-af28-7578c66617b1/
Wayback Machine:  https://web.archive.org/web/*/moonshot-coins.fun
crt.sh CT logs:   https://crt.sh/?q=%25.moonshot-coins.fun
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=moonshot-coins.fun
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/moonshot-coins.fun
URLhaus:          https://urlhaus.abuse.ch/host/moonshot-coins.fun/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-20 16:05:56 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies the active domain moonshot-coins.fun as a crypto drainer exploiting Moonshot brand impersonation. This threat is categorized as elevated-risk due to its deceptive technique targeting cryptocurrency users through fraudulent token promotions. The domain was registered on April 17, 2026, and resolved to IP address 172.67.134.245 at the time of analysis. VirusTotal analysis revealed detection by 2 of 95 security vendors, while Maltrail has already added this domain to its blocklist. PublicDomainRegistry.com facilitated the registration, and the domain employs a Let’s Encrypt SSL certificate for perceived legitimacy. The combination of recent registration, low detection rate, and active blocking underscores the urgency for user vigilance.

Technical indicators reveal this domain is part of a broader campaign designed to deceive users into connecting cryptocurrency wallets under false pretenses. The impersonation of Moonshot—likely targeting investors in the Moonshot token or platform—exploits user trust through visually similar branding and fraudulent promises of high returns. The domain's low trust score across multiple security platforms, including its presence on one blocklist, suggests early-stage deployment typical of opportunistic threat actors. The IP address 172.67.134.245 is associated with multiple high-risk domains, further correlating this domain with malicious infrastructure. SSL certificate issuance via Let’s Encrypt, while common among legitimate sites, is often abused by threat actors to bypass security warnings and establish superficial credibility.

Users are strongly advised to avoid interacting with moonshot-coins.fun or any associated links, especially those promoting free token giveaways or urgent investment opportunities. PhishDestroy recommends verifying any suspicious domain or communication by searching the domain directly on its platform prior to engagement. Always cross-check URLs against official brand domains and use hardware wallet address verification when approving transactions. Report this domain immediately if encountered through PhishDestroy’s reporting system to help strengthen collective defense against such impersonation attempts. Stay vigilant—verify before you trust.

## EVIDENCE HASHES
----------------------------------------------------------------
Favicon MD5:       aaa5e2f6131c0409022b14f94f9edf2d
TLS cert SHA-256:      f902b6897672773c36104367c0b0c6169eb578b985ba08253b4dfacd8401b13b

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/moonshot-coins.fun/
JSON API:          https://api.destroy.tools/v1/check?domain=moonshot-coins.fun
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io