# PhishDestroy threat dossier — rode.finance ================================================================ Fetched: 2026-06-07 03:29:29 UTC Canonical: https://phishdestroy.io/domain/rode.finance/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_split) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/94 security vendors flagged this domain Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 216.198.79.1 (US, Atlanta) ASN: AS16509 Amazon.com, Inc. Hosting org: Lefkoff Industries Registrar: HOSTINGER operations, UAB Nameservers: ["orbit.dns-parking.com", "horizon.dns-parking.com"] Registered: 2026-04-17 Expires: 2027-04-10 Page title: RODE | Predict. Convict. Earn. HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-07-09 Status: INVALID chain Fingerprint: 4267bdf72d83bcb058e5c4b1b91a480bad97afa24b16501a95ee88fec85a9152 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-17 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-18 00:25:24 UTC (by PhishDestroy tracker) Last verified: 2026-06-07 04:48:56 UTC Neutralised: 2026-06-06 17:37:05 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019d9d51-eb2f-75ca-b0a1-9cdc160eb98a/ Wayback Machine: https://web.archive.org/web/*/rode.finance crt.sh CT logs: https://crt.sh/?q=%25.rode.finance Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=rode.finance AlienVault OTX: https://otx.alienvault.com/indicator/domain/rode.finance URLhaus: https://urlhaus.abuse.ch/host/rode.finance/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-18 00:27:01 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] rode.finance is an active cryptocurrency scam posing as a decentralized finance (DeFi) platform. This site specifically targets users by offering unrealistically high yield returns to trick victims into connecting their digital wallets and authorizing fraudulent transactions. Once connected, the platform steals cryptocurrency assets by exploiting smart contract permissions or directly transferring funds to attacker-controlled addresses. Users who interact with this site risk irreversible financial losses, as blockchain transactions are irreversible and typically not recoverable once executed. The domain resolves to IP address 216.198.79.1, which is associated with Hostinger operations, and was registered on April 10, 2026 only days ago — a hallmark of opportunistic fraud setups. This domain poses a high risk due to multiple red flags identified in a security assessment conducted on seed 7c6b43. rode.finance has a clean status on VirusTotal with 0 out of 95 security engines detecting malicious content, underscoring how new and evasive such threats can be. The domain is registered through Hostinger operations (UAB), a hosting provider often abused by threat actors due to lax verification processes and affordable pricing. Its registration date of April 10, 2026 suggests this scam was launched recently, likely targeting early adopters of new DeFi projects. Despite the lack of immediate detection, the site mimics legitimate DeFi interfaces using Let’s Encrypt SSL certificates to appear trustworthy, increasing the likelihood of user deception. Users who have visited rode.finance or attempted to interact with it must take immediate action to protect their assets. First, disconnect and revoke any wallet permissions granted to the site using tools like Etherscan’s “Token Approvals” or browser-based wallet security extensions. Do not connect any cryptocurrency wallet or enter private keys. Clear browser cache and cookies related to the domain to prevent persistent pop-ups or redirects. If any unauthorized transactions occurred, report the incident to your wallet provider and relevant blockchain explorers immediately. Consider transferring remaining assets to a newly created wallet with no prior exposure. Always verify financial platforms through official channels and community reviews before engaging, especially when high-yield opportunities seem too good to be true — they likely are. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: b695b55156ddca0db8b905041615ab4c TLS cert SHA-256: 4267bdf72d83bcb058e5c4b1b91a480bad97afa24b16501a95ee88fec85a9152 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/rode.finance/ JSON API: https://api.destroy.tools/v1/check?domain=rode.finance Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 157,760 domains (42,504 alive under monitoring, 114,286 confirmed takedowns/dead). Site: https://phishdestroy.io