# PhishDestroy threat dossier — safe-pal.app ================================================================ Fetched: 2026-07-06 17:36:18 UTC Canonical: https://phishdestroy.io/domain/safe-pal.app/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 72/100 (PhishDestroy scoring — see methodology below) Targeted brand: SafePal ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/91 security vendors flagged this domain Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 194.61.120.209 (NL, Amsterdam) ASN: AS62005 BlueVPS OU Hosting org: BV Na17 Registrar: Spaceship, Inc. Nameservers: launch1.spaceship.net, launch2.spaceship.net Registered: 2026-05-29 Expires: 2027-05-29 Page title: SafePal Crypto Wallet App — Independent Guide, Review & Setup (2026) ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR2 Expires: 2026-08-31 Status: INVALID chain Fingerprint: 8c1721630a6dd02576f8b3e8390a865e33c5b17f942e03dfa4f1d3880de696dd Subject Alternative Names (related infrastructure — often same operator): - www.safe-pal.app ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-29 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-06 14:31:36 UTC (by PhishDestroy tracker) Last verified: 2026-07-06 18:20:31 UTC Neutralised: 2026-07-06 18:16:50 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f3768-7d8e-761a-bf7a-10062cef7eaa/ Wayback Machine: https://web.archive.org/web/*/safe-pal.app crt.sh CT logs: https://crt.sh/?q=%25.safe-pal.app Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=safe-pal.app AlienVault OTX: https://otx.alienvault.com/indicator/domain/safe-pal.app URLhaus: https://urlhaus.abuse.ch/host/safe-pal.app/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-06 14:36:28 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain is flagged for brand_impersonation, specifically targeting users of the SafePal cryptocurrency wallet service. The site presents itself as an independent guide, review, and setup resource for SafePal, with the page title "SafePal Crypto Wallet App — Independent Guide, Review & Setup (2026)." Such impersonation tactics are commonly employed to deceive users into divulging sensitive credentials, downloading malicious software, or transferring assets under false pretenses. The domain’s content and structure closely mimic legitimate educational or support resources, increasing the likelihood of successful social engineering attacks against unsuspecting victims. Analysis indicates the domain was registered on May 29, 2026, through Spaceship, Inc., a registrar that has been associated with other low-reputation domains in prior campaigns. Infrastructure analysis reveals the domain resolves to the IP address 194.61.120.209, which has not yet been widely flagged in threat intelligence feeds. As of the latest scan, the domain has received 0 detections out of 95 security engines on VirusTotal, suggesting it may still be in the early stages of deployment or evading detection through obfuscation techniques. The SSL certificate is issued by Let's Encrypt, a common tactic to lend an appearance of legitimacy while avoiding the scrutiny associated with paid certificates. No blocklist entries were identified at the time of this assessment, further indicating its current operational status. Users who have visited safe-pal.app are advised to take immediate remedial actions to mitigate potential risks. If credentials or personal information were entered on the site, affected accounts should be secured by revoking active sessions, enabling multi-factor authentication, and monitoring for unauthorized transactions. Devices used to access the domain should undergo a thorough security scan to detect any downloaded payloads or persistent threats. Additionally, users should verify the authenticity of any communications or downloads associated with SafePal by cross-referencing with official channels. Given the domain’s active status and lack of widespread detection, heightened vigilance is recommended for individuals who may have interacted with the site or its content. [Updates since narrative was generated:] - Public blocklists: now listed on 3 feeds ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 84f185235381717879ab6a249e993035 TLS cert SHA-256: 8c1721630a6dd02576f8b3e8390a865e33c5b17f942e03dfa4f1d3880de696dd ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/safe-pal.app/ JSON API: https://api.destroy.tools/v1/check?domain=safe-pal.app Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 175,540 domains (12,490 alive under monitoring, 162,123 confirmed takedowns/dead). Site: https://phishdestroy.io