# PhishDestroy threat dossier — restoremykey.com ================================================================ Fetched: 2026-05-11 14:10:55 UTC Canonical: https://phishdestroy.io/domain/restoremykey.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 81/100 (PhishDestroy scoring — see methodology below) Scam classification: Seed Phrase Theft Targeted brand: Seed Phrase Theft ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/92 security vendors flagged this domain Flagging vendors: Gridinsoft ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 162.0.232.170 (US, Los Angeles) ASN: AS22612 Namecheap, Inc. Hosting org: Namecheap, Inc. Registrar: NameCheap, Inc. Nameservers: ["dns1.namecheaphosting.com", "dns2.namecheaphosting.com"] Registered: 2026-05-08 Page title: WIF Recovery, WIF Restore, WIF Recover — Mnemonic, wallet.dat · RestoreMyKey ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Sectigo Limited / Sectigo Public Server Authentication CA DV R36 Expires: 2026-11-21 Status: INVALID chain Fingerprint: c9f9ebfaa0601a9ecb2fa16cf3548c0d7388fe2ca466a73783b3f8ba03d505b8 Subject Alternative Names (related infrastructure — often same operator): - www.restoremykey.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-08 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-08 18:44:17 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-05-08 15:45:04 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-05-10 19:40:03 UTC Neutralised: 2026-05-09 10:35:09 UTC Current status: taken down (registrar suspended or DNS dead) Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e0840-e952-715e-a01b-9254486af683/ URLQuery: https://urlquery.net/report/21e95ace-614d-4ab7-85cd-6ebd1188cf1f Wayback Machine: https://web.archive.org/web/*/restoremykey.com crt.sh CT logs: https://crt.sh/?q=%25.restoremykey.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=restoremykey.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/restoremykey.com URLhaus: https://urlhaus.abuse.ch/host/restoremykey.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-08 18:44:44 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies restoremykey.com as an active crypto drainer posing as a cryptocurrency wallet key recovery service. The domain masquerades as a legitimate recovery platform to trick users into connecting wallets and authorizing fraudulent transactions. Given the unflagged status on VirusTotal and recent domain registration, this threat represents a high-risk impersonation attack targeting cryptocurrency holders seeking to recover lost or compromised keys. This domain was flagged for its use of a generic name designed to appear trustworthy (registered via Namecheap Inc), resolving to IP 162.0.232.170 on a server hosting multiple suspicious domains. The site went live on May 07, 2026, just days before detection, with no presence on major blocklists at the time of analysis. Despite 0 detections on VirusTotal (0/95 scans), it holds an SSL certificate from Sectigo Limited, adding superficial legitimacy to credential and wallet connection prompts. The lack of historical traffic, zero third-party reputation, and fresh registration window elevate the risk profile significantly. To mitigate exposure, users are strongly advised to avoid any interaction with restoremykey.com or similar key recovery services promising 'lost key restoration.' Never connect wallets or enter private keys into unfamiliar platforms. Verify all recovery services through official brand channels or reputable security platforms like PhishDestroy. Enable hardware wallet protections, use transaction simulation tools, and monitor connected wallets for unauthorized approvals. Report any encounters with this domain to PhishDestroy or relevant blockchain security networks to help block its infrastructure. [Updates since narrative was generated:] - VirusTotal detections: now 1/92 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260508-C2D229 Favicon MD5: 5b8ca4dbc6cd30dec3985c31402e7061 TLS cert SHA-256: c9f9ebfaa0601a9ecb2fa16cf3548c0d7388fe2ca466a73783b3f8ba03d505b8 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/restoremykey.com/ JSON API: https://api.destroy.tools/v1/check?domain=restoremykey.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 148,214 domains (45,139 alive under monitoring, 102,795 confirmed takedowns/dead). Site: https://phishdestroy.io