# PhishDestroy threat dossier — net-uphold.created.app ================================================================ Fetched: 2026-06-21 05:20:33 UTC Canonical: https://phishdestroy.io/domain/net-uphold.created.app/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Credential Phishing Targeted brand: MetaMask Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_split) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 5/95 security vendors flagged this domain Public blocklists: listed on 3 independent blocklists Google Safe Browsing: FLAGGED ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 216.150.16.129 (US, Walnut) ASN: AS16509 Amazon.com, Inc. Hosting org: Vercel, Inc Registrar: Tucows Domains Inc Nameservers: ["ns1.vercel-dns.com", "ns2.vercel-dns.com"] Registered: 2026-05-16 Page title: Secure Uphold Login - Access Your Digital Asset Account HTTP response: 404 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R13 Expires: 2026-07-29 Status: INVALID chain Fingerprint: 927656e07b11c1b9142869c6a6c1996526993b64fd76d6b8ad10c405cebaa0f8 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-16 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-16 21:27:21 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-05-16 18:30:04 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-06-21 04:20:34 UTC Neutralised: 2026-06-06 17:30:41 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e3208-689a-760b-a733-9457ff91e492/ URLQuery: https://urlquery.net/report/1e796f87-5193-40e8-8804-a28ded942c1f Wayback Machine: https://web.archive.org/web/*/net-uphold.created.app crt.sh CT logs: https://crt.sh/?q=%25.net-uphold.created.app Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=net-uphold.created.app AlienVault OTX: https://otx.alienvault.com/indicator/domain/net-uphold.created.app URLhaus: https://urlhaus.abuse.ch/host/net-uphold.created.app/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-16 21:28:41 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies net-uphold.created.app as an active brand impersonation domain masquerading as the legitimate cryptocurrency platform Uphold. The site uses a deceptive naming convention (created.app subdomain) to mimic Uphold’s branding and lure victims into credential theft or cryptocurrency draining. Analysts observed MetaMask browser extension blocking the domain, indicating active malicious intent in browser environments. No open-source drainer kit signatures were detected in initial scans, but the domain’s structure suggests integration with a credential harvesting or crypto drainer toolkit designed to siphon funds from unwitting users. This domain was flagged with a 0/95 VirusTotal detection score as of the latest scan, placing it below current antivirus coverage thresholds despite red flags from browser security extensions and blocklists. The domain resolves to IP 216.150.16.129 and utilizes a Let’s Encrypt SSL certificate to appear legitimate. It is served through Vercel’s app platform via the created.app domain namespace, a common tactic among threat actors to rapidly deploy malicious landing pages. Google Safe Browsing classifies the site under “SOCIAL_ENGINEERING,” confirming user deception tactics. The domain was detected on one active security blocklist and first observed during a recent sweep of crypto-related fraud infrastructure linked to seed 6c3c82. The domain remains active and unresolved as of this report, with MetaMask providing real-time protection for users. PhishDestroy recommends immediate blacklisting at the network and endpoint levels due to the combination of brand impersonation and low detection coverage. Users are advised to avoid interacting with any links referencing uphold within subdomain structures, validate URLs via official Uphold domains (uphold.com), and report such domains to security teams or browser vendors. The remaining risk is assessed as moderate due to active blocking by security tools but high potential for future exploitation if detection gaps persist. [Updates since narrative was generated:] - VirusTotal detections: now 5/95 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260516-2579A1 Favicon MD5: fe06af3bda5ebf359d0f251fa1ee492e TLS cert SHA-256: 927656e07b11c1b9142869c6a6c1996526993b64fd76d6b8ad10c405cebaa0f8 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/net-uphold.created.app/ JSON API: https://api.destroy.tools/v1/check?domain=net-uphold.created.app Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 167,159 domains (15,995 alive under monitoring, 150,846 confirmed takedowns/dead). Site: https://phishdestroy.io