# PhishDestroy threat dossier — realfi.finance ================================================================ Fetched: 2026-06-28 23:41:16 UTC Canonical: https://phishdestroy.io/domain/realfi.finance/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 79/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 4/91 security vendors flagged this domain Flagging vendors: CRDF, Forcepoint ThreatSeeker, Gridinsoft, SOCRadar AlienVault OTX: 5 pulses (threat-intel feed mentions) Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 160.153.128.23 (FR, Strasbourg) ASN: AS21499 Host Europe GmbH Hosting org: GoDaddy.com, LLC Registrar: GoDaddy.com, LLC Nameservers: ["ns47.domaincontrol.com", "ns48.domaincontrol.com"] Registered: 2026-06-08 Expires: 2027-03-02 Page title: RealFi | Real World Finance on Cardano ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R13 Expires: 2026-08-15 Status: INVALID chain Fingerprint: 15c48ff64e32f04f59e653b2ddee45ab5a9103bfdf7309a890708d5098441488 Subject Alternative Names (related infrastructure — often same operator): - cpanel.realfi.finance - mail.realfi.finance - webdisk.realfi.finance - www.realfi.finance ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-08 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-09 05:31:14 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-06-08 16:12:20 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-06-29 00:20:41 UTC Neutralised: 2026-06-16 00:35:24 UTC Current status: taken down (registrar suspended or DNS dead) Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019ea7fd-66c0-74ab-9908-5faa708488bc/ URLQuery: https://urlquery.net/report/a83b6ce3-733a-4c74-93d3-08ed491876f2 Wayback Machine: https://web.archive.org/web/*/realfi.finance crt.sh CT logs: https://crt.sh/?q=%25.realfi.finance Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=realfi.finance AlienVault OTX: https://otx.alienvault.com/indicator/domain/realfi.finance URLhaus: https://urlhaus.abuse.ch/host/realfi.finance/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-26 01:39:14 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, realfi.finance, is flagged as a generic phishing site targeting users of decentralized finance (DeFi) platforms on the Cardano blockchain. Analysis indicates the site mimics legitimate RealFi (Real World Finance) services, likely deploying a crypto wallet drainer kit to harvest private keys or seed phrases from unsuspecting victims. The page title, 'RealFi | Real World Finance on Cardano,' directly aligns with known branding used in fraudulent schemes to exploit trust in established DeFi projects. Technical indicators confirm the malicious nature of this domain. It holds a VirusTotal detection score of 4/95, with security vendors identifying it as a phishing threat. The domain was registered on June 8, 2026, through GoDaddy.com, LLC, and resolves to the IP address 160.153.128.23. It appears on three security blocklists and is referenced in five AlienVault OTX threat intelligence pulses. The SSL certificate is issued by Let's Encrypt, a common tactic to feign legitimacy. Infrastructure analysis reveals the domain is blocked by MetaMask, PhishDestroy, and SEAL, further corroborating its malicious intent. As of the latest assessment, realfi.finance has been taken offline, reducing immediate risk to users. However, the domain remains registered, and its infrastructure could be reactivated or repurposed for future campaigns. The elevated risk level persists due to the domain's history and the potential for re-emergence. Users are advised to verify the authenticity of any RealFi-related domains by cross-referencing official project channels and to monitor wallet activity for unauthorized transactions. Security teams should maintain blocklist entries for this domain and its associated IP to prevent future exploitation. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260608-97A481 TLS cert SHA-256: 15c48ff64e32f04f59e653b2ddee45ab5a9103bfdf7309a890708d5098441488 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/realfi.finance/ JSON API: https://api.destroy.tools/v1/check?domain=realfi.finance Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 172,161 domains (14,576 alive under monitoring, 157,073 confirmed takedowns/dead). Site: https://phishdestroy.io