# PhishDestroy threat dossier — pumpstreams.expl.live
================================================================

Fetched:   2026-05-26 04:22:35 UTC
Canonical: https://phishdestroy.io/domain/pumpstreams.expl.live/

## VERDICT
----------------------------------------------------------------
ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims
Composite threat score: 89/100 (PhishDestroy scoring — see methodology below)
Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 2/6)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      4/91 security vendors flagged this domain
  Flagging vendors: alphaMountain.ai, Forcepoint ThreatSeeker, Gridinsoft, SOCRadar
Public blocklists: listed on 4 independent blocklists

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      104.21.73.4
Registrar:       REGISTRAR_NOT_FOUND
Nameservers:     NS_NOT_FOUND
Registered:      2026-05-25

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-05-25 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-05-26 05:09:43 UTC (by PhishDestroy tracker)
Last verified:     2026-05-26 05:30:02 UTC
Current status:    ACTIVE — cloaked behind HTTP 666 to evade scanners

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019e6019-3522-7328-b22d-a93fa1762ada/
Wayback Machine:  https://web.archive.org/web/*/pumpstreams.expl.live
crt.sh CT logs:   https://crt.sh/?q=%25.pumpstreams.expl.live
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=pumpstreams.expl.live
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/pumpstreams.expl.live
URLhaus:          https://urlhaus.abuse.ch/host/pumpstreams.expl.live/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-05-26 05:18:02 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies pumpstreams.expl.live as an active domain engaged in a targeted phishing campaign impersonating Pump.fun, a popular Solana-based token launch platform. This domain resolves to IP 104.21.73.4 and is associated with an elevated risk level due to its use in fraudulent activities aimed at deceiving users into connecting their crypto wallets or revealing sensitive credentials. The threat actor behind this domain is likely attempting to harvest private keys, seed phrases, or approvals for unauthorized token transfers under the guise of a legitimate Pump.fun service.  This domain exhibits multiple red flags confirmed by reputable security vendors. VirusTotal reports 4 out of 95 security vendors flagging this domain, indicating partial but not universal detection. The domain is blocked by 5 major security solutions including MetaMask, PhishDestroy, SEAL, ScamSniffer, and Maltrail, demonstrating widespread consensus on its malicious nature. The SSL certificate issued by Let's Encrypt does not mitigate the risk, as threat actors frequently leverage legitimate certificates to appear trustworthy. The domain's infrastructure and behavior align with common phishing tactics, including impersonation of well-known platforms to exploit user trust. Technical analysis suggests the domain is part of a broader campaign targeting Solana ecosystem users, leveraging social engineering to trick victims into authorizing malicious transactions.  Users who have visited pumpstreams.expl.live should take immediate action to secure their assets. Revoke any wallet approvals or permissions granted to this domain or related addresses using tools like Revoke.cash or Rabby Wallet. Check transaction histories for unauthorized transfers and report any suspicious activity to the respective blockchain explorer. Avoid interacting with any prompts or requests for wallet connections from this domain or similar URLs. Enable multi-factor authentication on all crypto-related accounts and use hardware wallets for additional security. Report this domain to your browser’s security extensions and consider blocking it to prevent future exposure. Staying vigilant and verifying URLs through official channels can help mitigate the risks posed by such fraudulent domains.

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/pumpstreams.expl.live/
JSON API:          https://api.destroy.tools/v1/check?domain=pumpstreams.expl.live
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 153,839 domains (37,705 alive under monitoring, 114,304 confirmed takedowns/dead). Site: https://phishdestroy.io