# PhishDestroy threat dossier — ouisyu.one ================================================================ Fetched: 2026-05-01 17:18:44 UTC Canonical: https://phishdestroy.io/domain/ouisyu.one/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 67/100 (PhishDestroy scoring — see methodology below) Scam classification: Fake Exchange Targeted brand: Ethereum ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/94 security vendors flagged this domain URLQuery: 2 detections ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 38.165.23.74 (US, Los Angeles) ASN: AS967 VMISS Inc. Hosting org: PEG Tech Inc Registrar: Gname.com Pte. Ltd. Nameservers: ["troy.ns.cloudflare.com", "melinda.ns.cloudflare.com"] Registered: 2026-04-16 Page title: Buy/Sell Bitcoin, Ethereum and Altcoin | Spot / Perpetual Trading | UCoin Cryptocurrency Exchange ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-07-15 Status: INVALID chain Fingerprint: 45bf5a3e5ba902a5967773560d246a3481c7f13a44bdc359f69cb48b20fd0045 Subject Alternative Names (related infrastructure — often same operator): - coiiuys.xyz - web.coiiuys.xyz - www.coiiuys.xyz ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-16 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-16 22:34:57 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-04-16 19:36:24 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-04-25 01:42:21 UTC Neutralised: 2026-04-21 22:02:13 UTC Current status: taken down (registrar suspended or DNS dead) Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019d97c8-fc8f-710d-a8e5-b97fa93b92b7/ URLQuery: https://urlquery.net/report/c23e6ed9-0049-44fb-b50e-ba29f7e43cab Wayback Machine: https://web.archive.org/web/*/ouisyu.one crt.sh CT logs: https://crt.sh/?q=%25.ouisyu.one Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=ouisyu.one AlienVault OTX: https://otx.alienvault.com/indicator/domain/ouisyu.one URLhaus: https://urlhaus.abuse.ch/host/ouisyu.one/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-16 22:35:54 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies ouisyu.one as an active phishing site impersonating a cryptocurrency platform to steal wallet credentials and drain assets. This domain, registered through Gname.com Pte. Ltd. on April 08, 2026, currently hosts a fraudulent login page designed to mimic a legitimate crypto service. The site resolves to IP address 38.155.23.74 and utilizes a Let’s Encrypt SSL certificate to appear legitimate, increasing the likelihood of user deception. With zero detections out of 95 VirusTotal scans and no presence on major blocklists at the time of investigation, this threat remains under the radar despite its active operation. This campaign is classified as a generic phishing attack targeting cryptocurrency users. The domain was flagged due to red flags such as a recently created registration date (April 08, 2026), use of a free SSL certificate from a trusted provider, and hosting on a suspicious IP known for malicious activity. Technical indicators include consistent WHOIS data obfuscation via Gname.com, a registrar frequently associated with disposable domains used in short-lived phishing operations. The absence of detections on VirusTotal (0/95) underscores the need for proactive threat intelligence, as automated scanners often lag behind newly launched campaigns. The domain’s infrastructure suggests a coordinated effort to mimic a legitimate service, likely aiming to harvest private keys or seed phrases from unsuspecting victims. Users who visited ouisyu.one should immediately check their cryptocurrency wallets for unauthorized transactions or unauthorized access. Disconnect any connected devices from the internet to prevent potential malware spread, and revoke any permissions granted to suspicious sites. Change passwords for all crypto-related accounts and enable two-factor authentication where available. Report the domain to PhishDestroy for verification and inclusion in public blocklists to protect other users. Monitor financial accounts closely for unusual activity, and consider transferring funds to a new wallet with enhanced security measures if any compromise is suspected. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260416-F2A523 Favicon MD5: 0c1474688b1349574206d4a24c967f05 TLS cert SHA-256: 45bf5a3e5ba902a5967773560d246a3481c7f13a44bdc359f69cb48b20fd0045 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/ouisyu.one/ JSON API: https://api.destroy.tools/v1/check?domain=ouisyu.one Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io