# PhishDestroy threat dossier — scoorpioncc.store ================================================================ Fetched: 2026-07-02 02:55:03 UTC Canonical: https://phishdestroy.io/domain/scoorpioncc.store/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 63/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 3/91 security vendors flagged this domain Flagging vendors: CRDF, Gridinsoft, SOCRadar AlienVault OTX: 4 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 91.240.20.27 (NL, Amsterdam) ASN: AS59939 WIBO Baltic UAB Hosting org: Hooray Solutions Corp. Registrar: INWX GmbH Nameservers: ["ns1.owlhost.net", "ns2.owlhost.net"] Registered: 2025-10-15 Expires: 2026-10-15 Page title: Scorpion-Shop, scorpioncc, scorpioncc store, scorpioncc cc ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E7 Expires: 2026-08-15 Status: INVALID chain Fingerprint: 9c385f847fc6fd92518611abbe4c7b0845d035d6482959afa1811efeda712d9f Subject Alternative Names (related infrastructure — often same operator): - ftp.scoorpioncc.store - mail.scoorpioncc.store - pop.scoorpioncc.store - smtp.scoorpioncc.store - www.scoorpioncc.store ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2025-10-15 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-09 05:31:10 UTC (by PhishDestroy tracker) First reported: 2026-06-15 06:46:52 UTC (abuse notice filed) Last verified: 2026-07-02 04:20:34 UTC Neutralised: 2026-06-17 18:21:04 UTC Current status: taken down (registrar suspended or DNS dead) ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-26 01:47:39 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, scoorpioncc.store, is flagged as a generic phishing site impersonating ScorpionCC, a known payment and cryptocurrency service platform. Analysis indicates the site was designed to mimic the legitimate ScorpionCC storefront, likely to harvest user credentials, payment details, or cryptocurrency wallet information. The page title explicitly references Scorpion-Shop, scorpioncc, scorpioncc store, and scorpioncc cc, reinforcing its targeting of users familiar with the brand. No specific drainer kit signatures were identified in available telemetry, but the domain aligns with common phishing infrastructure patterns. Infrastructure analysis reveals the following technical indicators: the domain was registered through INWX GmbH on October 15, 2025, and resolves to the IP address 91.240.20.27. VirusTotal detections show 3 out of 95 security vendors flagging the domain as malicious. The domain appears on one security blocklist and is referenced in four AlienVault OTX threat intelligence pulses. The SSL certificate is issued by Let’s Encrypt, a common choice for both legitimate and malicious sites due to its accessibility. No Google Safe Browsing (GSB) hits were recorded at the time of analysis, though this may reflect delayed reporting rather than benign status. The domain is currently offline, reducing immediate risk to end users. However, the infrastructure remains registered and could be reactivated or repurposed for future campaigns. Response actions include its inclusion in PhishDestroy’s blocklist and monitoring by multiple threat intelligence platforms. Remaining risk is classified as elevated due to the domain’s recent registration, low detection rate, and association with a known phishing target. Organizations are advised to block the domain and IP at the network level, monitor for related indicators, and alert users to potential credential exposure if interaction occurred prior to takedown. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 8cf6795e2ebec6986d9c7e83851d1539 TLS cert SHA-256: 9c385f847fc6fd92518611abbe4c7b0845d035d6482959afa1811efeda712d9f ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/scoorpioncc.store/ JSON API: https://api.destroy.tools/v1/check?domain=scoorpioncc.store Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 173,583 domains (13,714 alive under monitoring, 159,163 confirmed takedowns/dead). Site: https://phishdestroy.io