# PhishDestroy threat dossier — okxz.show ================================================================ Fetched: 2026-04-23 09:37:13 UTC Canonical: https://phishdestroy.io/domain/okxz.show/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 62/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: OKX ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/94 security vendors flagged this domain ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 156.226.17.36 (HK, Hong Kong) ASN: AS132813 HK AISI CLOUD COMPUTING LIMITED Hosting org: Ruiou International Network Limited Registrar: Dynadot Inc Nameservers: ["ns1.dyna-ns.net", "ns2.dyna-ns.net"] Registered: 2026-04-22 Expires: 2027-03-16 Page title: okx官方网站 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: none Status: INVALID chain ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-22 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-22 16:46:28 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-04-22 13:47:29 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-04-23 07:40:06 UTC Neutralised: 2026-04-22 19:25:02 UTC Current status: taken down (registrar suspended or DNS dead) Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019db56f-949d-739c-b43c-d89dbaae6035/ URLQuery: https://urlquery.net/report/90786167-eb10-441d-9c40-d31d136f63ad Wayback Machine: https://web.archive.org/web/*/okxz.show crt.sh CT logs: https://crt.sh/?q=%25.okxz.show Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=okxz.show AlienVault OTX: https://otx.alienvault.com/indicator/domain/okxz.show URLhaus: https://urlhaus.abuse.ch/host/okxz.show/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-22 16:47:18 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies okxz.show as a newly registered domain actively impersonating the legitimate cryptocurrency exchange OKX. Based on forensic analysis, this domain appears to be configured as a crypto drainer—a malicious tool designed to steal cryptocurrency from unsuspecting users by mimicking a trusted exchange platform. Upon visiting, the site likely prompts visitors to connect a wallet or enter login credentials under the guise of an airdrop, giveaway, or security update, enabling the threat actor to drain funds directly from connected wallets or harvest sensitive credentials for future attacks. Given the sophistication of modern crypto drainers, even minor visual similarities to OKX could mislead users into authorizing malicious transactions. This domain was flagged due to clear brand impersonation targeting OKX, a leading global exchange. Technical analysis reveals it resolves to IP address 156.226.17.36 and was registered on March 16, 2026 through Dynadot Inc. As of the latest scan, VirusTotal reports 0 out of 95 security engines detecting malicious activity, indicating this threat remains under the radar of major antivirus platforms. While currently unflagged on most blocklists, the domain’s recent creation date and impersonation pattern are classic indicators of a rapidly evolving threat designed to evade detection. Users are urged to treat this domain with extreme caution, as early-stage crypto drainers often deploy obfuscated JavaScript and real-time phishing kits to bypass static analysis tools. If you have visited okxz.show or interacted with any page on this domain, take immediate action to secure your digital assets. Disconnect any cryptocurrency wallets from the site and revoke any permissions granted through wallet connections, especially those linked to OKX or other major exchanges. Scan your system for malware using reputable security software and consider rotating all passwords associated with your exchange accounts. Report the domain to PhishDestroy for analysis and share your experience with the security community to prevent further victimization. Always verify URLs by checking for official branding, secure HTTPS connections, and cross-referencing domain registrations using trusted tools before entering sensitive information. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260422-AB7A20 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/okxz.show/ JSON API: https://api.destroy.tools/v1/check?domain=okxz.show Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io