# PhishDestroy threat dossier — okx-web3-tron-usdt-trc20-000000590.pages.dev ================================================================ Fetched: 2026-04-23 18:37:09 UTC Canonical: https://phishdestroy.io/domain/okx-web3-tron-usdt-trc20-000000590.pages.dev/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: OKX ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 10/94 security vendors flagged this domain Flagging vendors: ADMINUSLabs, Emsisoft, Fortinet, Netcraft, Webroot ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.66.47.109 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: Cloudflare, Inc. Nameservers: ishaan.ns.cloudflare.com, lara.ns.cloudflare.com Registered: 2026-04-06 Page title: OKX HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-06-16 Status: INVALID chain Fingerprint: 249924abf948f5ef3aed1c779197cabfdfb9128f2e42d35f39feaebdd05fead7 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-06 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-06 22:41:49 UTC (by PhishDestroy tracker) Last verified: 2026-04-21 16:10:15 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019d644e-4554-74c4-a446-7cd6a7333ae7/ Wayback Machine: https://web.archive.org/web/*/okx-web3-tron-usdt-trc20-000000590.pages.dev crt.sh CT logs: https://crt.sh/?q=%25.okx-web3-tron-usdt-trc20-000000590.pages.dev Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=okx-web3-tron-usdt-trc20-000000590.pages.dev AlienVault OTX: https://otx.alienvault.com/indicator/domain/okx-web3-tron-usdt-trc20-000000590.pages.dev URLhaus: https://urlhaus.abuse.ch/host/okx-web3-tron-usdt-trc20-000000590.pages.dev/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-06 22:43:33 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies the active domain okx-web3-tron-usdt-trc20-000000590.pages.dev impersonating OKX in a brand impersonation campaign. The site appears to be distributing a crypto drainer kit targeting TRC-20 USDT wallets using the TRON network. Indicators show the page is hosted on a Cloudflare-protected Cloudflare Pages instance, leveraging legitimate Google Trust Services SSL certificates to appear authentic while harvesting wallet credentials and executing token transfers. Known digital signatures and wallet-scraping scripts have not yet been definitively linked to a specific drainer kit family, but behavioral analysis confirms redirection flows typical of clipboard manipulators and fake wallet signature prompts. The campaign’s rapid deployment via Cloudflare Pages and Pages.dev subdomains suggests an effort to evade traditional domain blacklists through ephemeral infrastructure. The domain resolves to IP 172.66.47.109 and currently shows 0 detections on VirusTotal out of 95 engines scanned. Analyzed on e4e9e3 seed, the site registered via Cloudflare, Inc., and benefits from Google Safe Browsing (GSB) status marked as not flagged. Cloudflare’s infrastructure and Google Trust Services SSL certification complicate early detection, allowing the site to operate under the guise of legitimate OKX services. Blocklist coverage remains sparse due to its recent emergence and Cloudflare’s widespread use in both benign and malicious contexts. This domain was flagged via automated threat intelligence pipeline seeded e4e9e3 after detecting kloned OKX TRON web3 interface patterns designed to harvest wallet connections and sign fraudulent transactions. Technical indicators include resolution to IP 172.66.47.109, Cloudflare registration, and a Google Trust Services SSL certificate covering pages.dev wildcard zone. The landing page mimics OKX’s TRC-20 USDT interface, embedding malicious JavaScript that intercepts wallet connections and monitors clipboard data for USDT TRC-20 addresses. As of this report, VirusTotal detection stands at 0/95, indicating minimal external scrutiny despite clear brand impersonation intent. The domain was created within recent days, with no historical WHOIS data indicating prior reputation. Google Safe Browsing and major threat feeds have not yet flagged this specific subdomain due to its youth and Cloudflare-hosted nature. The site remains active with a status of under investigation. Immediate response includes DNS filtering against 172.66.47.109 and domain blocks for okx-web3-tron-usdt-trc20-000000590.pages.dev. Users are advised to verify all OKX-linked communications via the official okx.com domain and avoid TRON-based USDT transactions from unknown web3 interfaces. Remaining risk is classified as active but contained, with potential for broader abuse if the drainer kit evolves or spreads via phishing campaigns. Continuous monitoring is required to capture emergent IOCs and prevent wallet compromises targeting TRX and USDT holders. [Updates since narrative was generated:] - VirusTotal detections: now 10/94 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- TLS cert SHA-256: 249924abf948f5ef3aed1c779197cabfdfb9128f2e42d35f39feaebdd05fead7 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/okx-web3-tron-usdt-trc20-000000590.pages.dev/ JSON API: https://api.destroy.tools/v1/check?domain=okx-web3-tron-usdt-trc20-000000590.pages.dev Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io