# PhishDestroy threat dossier — revoke-thorchain.org
================================================================

Fetched:   2026-05-20 06:51:06 UTC
Canonical: https://phishdestroy.io/domain/revoke-thorchain.org/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Crypto Drainer
Targeted brand: OKX

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      3/95 security vendors flagged this domain
  Flagging vendors: CRDF, Gridinsoft, SOCRadar
URLQuery:        2 detections
Public blocklists: listed on 1 independent blocklist

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      104.21.88.47 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     Cloudflare, Inc.
Registrar:       PDR Ltd. d/b/a PublicDomainRegistry.com
Nameservers:     ganz.ns.cloudflare.com, kate.ns.cloudflare.com
Registered:      2026-05-15
Page title:      THORChain — Asset Recovery & Approval Revoke Portal
HTTP response:   530

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E7
Expires:    2026-08-13
Status:     INVALID chain
Fingerprint: 5f13093e8f9aa0419db42cc76464b25f7fc4f65b570fb6de0ddec77be392489a

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-05-15 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-05-16 21:12:44 UTC (by PhishDestroy tracker)
First reported:    2026-05-16 18:14:13 UTC (abuse notice filed)
Last verified:     2026-05-20 07:02:48 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019e31fb-f441-7739-b5eb-f2effebdf38a/
URLQuery:         https://urlquery.net/report/1d0e2bfe-dde5-4823-8b82-3e5d7f163066
Wayback Machine:  https://web.archive.org/web/*/revoke-thorchain.org
crt.sh CT logs:   https://crt.sh/?q=%25.revoke-thorchain.org
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=revoke-thorchain.org
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/revoke-thorchain.org
URLhaus:          https://urlhaus.abuse.ch/host/revoke-thorchain.org/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-05-16 21:13:20 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies revoke-thorchain.org as a crypto wallet drainer site impersonating the OKX exchange brand. This domain attempts to deceive users into connecting their wallets to a malicious smart contract, with the goal of draining funds under the false pretense of revoking token allowances. The site specifically abuses the Thorchain ecosystem branding to appear legitimate, leveraging fake revocation pages that are common in crypto scams targeting OKX users. The infrastructure suggests a coordinated effort to exploit brand recognition and urgency tactics, typical of drainer-as-a-service operations.

This domain was flagged by Google Safe Browsing (GSB) and detected by 3 out of 95 VirusTotal security vendors. It resolves to IP address 104.21.88.47 and was registered on May 15, 2026 through PDR Ltd. d/b/a PublicDomainRegistry.com. The domain uses a Let's Encrypt SSL certificate to appear trustworthy, though this does not validate its legitimacy. The combination of brand impersonation, recent creation date, and low detection rate at time of analysis indicates elevated risk, particularly for users searching for Thorchain or OKX-related services. The domain's targeting of crypto wallet connections places it firmly in the drainer category, a high-severity threat vector in web3 environments.

revoke-thorchain.org remains active and unresolved as of this assessment. MetaMask has already implemented blocking measures against the domain, and it appears on at least one active security blocklist. No public takedown notices or sinkholing efforts have been confirmed. Users should avoid visiting this domain entirely, especially those attempting to interact with Thorchain or OKX services. Even accidental connection of a wallet to this site could result in fund loss. The domain's recent registration and low initial detection rate suggest it may be part of a larger, ongoing campaign. Affected users should revoke any unauthorized smart contract approvals immediately and monitor wallet activity for suspicious transactions. Remaining risk is elevated due to the domain's active status and the fact that advanced users may still fall victim to social engineering tactics involving fake revocation pages.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260516-B58C77
Favicon MD5:       2a4a09444e880ab13bd2635e815798fd
TLS cert SHA-256:      5f13093e8f9aa0419db42cc76464b25f7fc4f65b570fb6de0ddec77be392489a

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/revoke-thorchain.org/
JSON API:          https://api.destroy.tools/v1/check?domain=revoke-thorchain.org
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 151,769 domains (43,198 alive under monitoring, 108,189 confirmed takedowns/dead). Site: https://phishdestroy.io