# PhishDestroy threat dossier — opneclawai.top ================================================================ Fetched: 2026-05-31 18:01:58 UTC Canonical: https://phishdestroy.io/domain/opneclawai.top/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: Solana ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 5/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, Certego, Forcepoint ThreatSeeker, Gridinsoft, SOCRadar URLQuery: 4 detections Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.96.3 Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Nameservers: carla.ns.cloudflare.com, weston.ns.cloudflare.com Registered: 2026-04-25 Page title: OpenClaw AI — Solana Token Analytics ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E8 Expires: 2026-07-24 Status: INVALID chain Fingerprint: 32304262f2f1e9a91db365b3d28476c15cae7854cb758a4510c47d2df3e0193d ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-25 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-26 05:20:11 UTC (by PhishDestroy tracker) First reported: 2026-05-25 11:20:42 UTC (abuse notice filed) Last verified: 2026-05-31 17:20:38 UTC Neutralised: 2026-05-28 00:19:44 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e5ed9-d980-73eb-8c9e-b4668641bf65/ URLQuery: https://urlquery.net/report/e088ac35-0ab9-4279-ba3d-4d6e44ae391c Wayback Machine: https://web.archive.org/web/*/opneclawai.top crt.sh CT logs: https://crt.sh/?q=%25.opneclawai.top Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=opneclawai.top AlienVault OTX: https://otx.alienvault.com/indicator/domain/opneclawai.top URLhaus: https://urlhaus.abuse.ch/host/opneclawai.top/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-26 05:27:49 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] opneclawai.top is an active brand-impersonation phishing domain targeting Solana users by masquerading as an analytics platform named OpenClaw AI. The site’s page title explicitly mirrors Solana-related services, deceiving visitors into believing it is an official Solana analytics tool. This domain poses an elevated risk by luring users to connect wallets or submit credentials under false pretenses, enabling cryptocurrency theft or credential harvesting. The threat is particularly acute given the sophisticated mimicry of legitimate Solana-branded services, which is a common tactic used to exploit users’ trust in established blockchain ecosystems. This domain was flagged by PhishDestroy, MetaMask, SEAL, and Maltrail, and appears on 4 security blocklists. VirusTotal analysis shows 5 out of 95 security vendors detecting malicious activity. The domain resolves to IP 188.114.96.3 and utilizes a Let's Encrypt SSL certificate to appear legitimate. Registered through PDR Ltd. d/b/a PublicDomainRegistry.com, the domain was created on April 25, 2026, indicating a very recent setup designed for short-term malicious campaigns. The combination of a newly registered domain, low detection rates on VirusTotal, and multiple blocklist inclusions highlights a high-risk infrastructure with active evasion techniques. The Let's Encrypt certificate, while not inherently malicious, is frequently abused by threat actors to enhance the perceived legitimacy of phishing sites. To mitigate exposure to this threat, users should avoid accessing opneclawai.top entirely and should not interact with any embedded links or content. Users who have already visited the site should immediately disconnect any connected wallets, revoke any granted permissions via their wallet’s security settings, and scan their devices for malware using reputable antivirus software. Enterprises and security teams should block this domain at the network level using DNS filtering and add it to internal threat intelligence feeds for proactive detection. Additionally, users should cross-reference the legitimacy of Solana-related services only through official Solana channels or trusted third-party platforms. Reporting this domain to security vendors and browser-based phishing reporting tools can help enhance collective defense against similar threats. The domain’s recent creation and low detection rate suggest it may remain active for a short period, emphasizing the need for immediate action to prevent potential financial loss or credential compromise. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260525-33A82F TLS cert SHA-256: 32304262f2f1e9a91db365b3d28476c15cae7854cb758a4510c47d2df3e0193d ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/opneclawai.top/ JSON API: https://api.destroy.tools/v1/check?domain=opneclawai.top Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 156,483 domains (38,707 alive under monitoring, 117,228 confirmed takedowns/dead). Site: https://phishdestroy.io