# PhishDestroy threat dossier — premiumswiftcourierservices.com ================================================================ Fetched: 2026-04-22 08:32:39 UTC Canonical: https://phishdestroy.io/domain/premiumswiftcourierservices.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 40/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/94 security vendors flagged this domain ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 37.49.229.75 (NL, Amsterdam) ASN: AS3920 PUSHPKT OU Hosting org: ESTOXY OU Registrar: OwnRegistrar, Inc. Nameservers: ns1.controlpanel.sbs, ns2.controlpanel.sbs, null Registered: 2025-11-20 Page title: Welcome to Premium Swift Courier Services - Premium Global Shipping Solutions HTTP response: 429 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-07-19 Status: INVALID chain Fingerprint: 36d465995d0479b2a944440316332dc7117217dbfb9a52c69ab414c09ceee78f ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2025-11-20 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-20 15:18:54 UTC (by PhishDestroy tracker) First reported: 2026-04-20 12:19:49 UTC (abuse notice filed) Last verified: 2026-04-22 01:40:09 UTC Neutralised: 2026-04-22 00:26:07 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019daad3-7558-70d8-803f-d463ca5d7357/ URLQuery: https://urlquery.net/report/9f08ea15-0a27-40f0-abe2-678db8eaf2b3 Wayback Machine: https://web.archive.org/web/*/premiumswiftcourierservices.com crt.sh CT logs: https://crt.sh/?q=%25.premiumswiftcourierservices.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=premiumswiftcourierservices.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/premiumswiftcourierservices.com URLhaus: https://urlhaus.abuse.ch/host/premiumswiftcourierservices.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-20 15:19:35 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies premiumswiftcourierservices.com as an active crypto drainer scam designed to trick users into connecting crypto wallets for unauthorized fund transfers. This domain mimics legitimate courier services to deceive victims into signing malicious blockchain transactions, draining digital assets without consent. The threat operates under the guise of package delivery or shipping confirmation, leveraging urgency and fake tracking details to compel wallet connections. Technical analysis reveals the domain was registered on November 20, 2025, through OwnRegistrar, Inc., and resolves to IP 37.49.229.75 with an SSL certificate issued by Let’s Encrypt. Currently, VirusTotal shows 0 detections out of 95 scanners, indicating this threat remains under the radar despite active operation. PhishDestroy’s latest assessments show no presence on blocklists, further highlighting the stealthy nature of this campaign. Evidence supporting the classification of premiumswiftcourierservices.com as a high-risk crypto drainer includes its recent creation date, obscure registrar, and lack of detection despite active phishing activity. The domain’s infrastructure—hosted on 37.49.229.75 and secured with a Let’s Encrypt certificate—demonstrates typical attacker tactics to appear legitimate while avoiding immediate detection. The absence of VirusTotal detections (0/95) and zero blocklist entries underscores the domain’s ability to evade traditional security measures, posing a significant risk to users who may unknowingly engage with it. Such tactics are characteristic of sophisticated phishing operations targeting cryptocurrency users, where attackers exploit trust in familiar service brands to execute fraudulent transactions. Users who visited or interacted with premiumswiftcourierservices.com should immediately disconnect from the site and revoke any wallet connections or permissions granted. Scan connected devices for malware using reputable antivirus tools, and monitor wallets for unauthorized transactions. Report the domain to PhishDestroy and relevant cybersecurity platforms to aid in its takedown. Avoid reusing passwords or sharing sensitive information on this domain, as attackers may harvest credentials for further exploitation. Proactively verify websites by checking domain registrations, SSL certificates, and independent reviews before engaging. Stay vigilant against unsolicited shipping notifications or delivery-related requests, especially those demanding urgent wallet connections. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260420-72D44F Favicon MD5: 9208bfcbda8f3be6cae922e51d0d0d44 TLS cert SHA-256: 36d465995d0479b2a944440316332dc7117217dbfb9a52c69ab414c09ceee78f ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/premiumswiftcourierservices.com/ JSON API: https://api.destroy.tools/v1/check?domain=premiumswiftcourierservices.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io