# PhishDestroy threat dossier — semerkapahana.shop ================================================================ Fetched: 2026-07-04 10:38:44 UTC Canonical: https://phishdestroy.io/domain/semerkapahana.shop/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: Solana Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 2/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/91 security vendors flagged this domain Flagging vendors: G-Data Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.97.3 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: CloudFlare, Inc. Registrar: Web Commerce Communication Ltd. Nameservers: ["ariadne.ns.cloudflare.com", "ignacio.ns.cloudflare.com"] Registered: 2026-04-28 Page title: SOLANA SPIN HTTP response: 200 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-28 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-28 16:51:39 UTC (by PhishDestroy tracker) First reported: 2026-04-28 16:51:27 UTC (abuse notice filed) Last verified: 2026-07-04 12:20:36 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dd45a-7ce3-770d-b66e-a72ab1f8405e/ Wayback Machine: https://web.archive.org/web/*/semerkapahana.shop crt.sh CT logs: https://crt.sh/?q=%25.semerkapahana.shop Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=semerkapahana.shop AlienVault OTX: https://otx.alienvault.com/indicator/domain/semerkapahana.shop URLhaus: https://urlhaus.abuse.ch/host/semerkapahana.shop/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-28 16:53:09 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies active brand impersonation at semerkapahana.shop, a malicious domain explicitly targeting Solana users through a counterfeit ‘SOLANA SPIN’ lottery scam. The page title mirrors Solana’s branding to deceive visitors into believing the offer is legitimate, while the underlying infrastructure leverages a Let’s Encrypt SSL certificate on 188.114.97.3 to establish superficial credibility. The threat is currently under investigation, yet remains operational and poses a direct risk to users who may surrender wallet credentials or funds under the guise of a ‘reward’ or ‘promotion’. This domain exhibits multiple red flags consistent with active impersonation campaigns. VirusTotal analysis shows zero detections out of 95 engines as of the latest scan, indicating limited signature-based detection despite the malicious intent. The domain resolves to IP 188.114.97.3, which is associated with dynamic hosting environments frequently abused by threat actors. While the SSL certificate issued by Let’s Encrypt adds a veneer of legitimacy, it does nothing to validate the domain’s authenticity. The page title ‘SOLANA SPIN’ is a clear attempt to exploit brand recognition and urgency to trick visitors into engaging with a fraudulent scheme. Users who have visited semerkapahana.shop or interacted with its content should immediately cease all actions, especially those involving Solana wallet connections or cryptocurrency transfers. Do not enter any credentials, private keys, or seed phrases on the site. Review wallet transaction histories for unauthorized movements and revoke any connected dApps or permissions via your wallet interface. If funds were lost or credentials compromised, report the incident to your wallet provider and consider transferring remaining assets to a new, secure wallet. Use reputable ad-blockers, DNS filtering solutions, or browser extensions that block known malicious domains to prevent future exposure. Always verify URLs through official Solana channels and avoid clicking links from unsolicited messages or advertisements. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 6a7e9e696adb354b92da56720cad7dce ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/semerkapahana.shop/ JSON API: https://api.destroy.tools/v1/check?domain=semerkapahana.shop Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,465 domains (12,971 alive under monitoring, 160,675 confirmed takedowns/dead). Site: https://phishdestroy.io