# PhishDestroy threat dossier — smartprotocoltoken.web.app
================================================================

Fetched:   2026-04-22 02:49:49 UTC
Canonical: https://phishdestroy.io/domain/smartprotocoltoken.web.app/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 87/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: OKX

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      0/94 security vendors flagged this domain

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      199.36.158.100 (US, Mountain View)
ASN:             AS54113 Fastly, Inc.
Hosting org:     Google LLC
Registrar:       Google LLC
Nameservers:     NS_NOT_FOUND
Registered:      2026-04-06
Page title:      Smart Protocol Token
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WR4
Expires:    2026-06-18
Status:     INVALID chain
Fingerprint: 38e3c92d485d84e61795f095cb3c5f8db07098cd4faa453f265668221022a6fc
Subject Alternative Names (related infrastructure — often same operator):
  - web.app

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-06 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-06 16:40:11 UTC (by PhishDestroy tracker)
Last verified:     2026-04-21 16:09:10 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019d6300-58de-75ff-9125-482b6ad150bd/
Wayback Machine:  https://web.archive.org/web/*/smartprotocoltoken.web.app
crt.sh CT logs:   https://crt.sh/?q=%25.smartprotocoltoken.web.app
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=smartprotocoltoken.web.app
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/smartprotocoltoken.web.app
URLhaus:          https://urlhaus.abuse.ch/host/smartprotocoltoken.web.app/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-06 16:45:03 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies smartprotocoltoken.web.app as an active brand impersonation domain engineered to mimic the OKX cryptocurrency exchange platform. This malicious domain leverages Google's Firebase hosting infrastructure to craft a facade that closely mirrors the legitimate OKX web presence, potentially ensnaring unsuspecting users seeking trading or wallet services. The domain attempts to exploit brand recognition and trust in OKX to harvest credentials, seed phrases, or sensitive transaction data through fraudulent login pages or wallet interaction prompts typically associated with drainer kits observed in recent crypto-targeting campaigns. The typographical convergence between the malicious domain and the legitimate OKX platform increases the risk of successful social engineering.  

Technical assessment reveals several key indicators for this threat. The domain resolves to the IP address 199.36.158.100 and utilizes an SSL certificate issued by Google Trust Services, which may lend superficial legitimacy. VirusTotal currently reports 0 out of 95 detection engines flagging the domain or its associated URL, indicating evasion of most antivirus and security platforms. The domain was registered through Google LLC via Firebase Hosting, a platform that provides free or low-cost web hosting with minimal identity verification. Google Safe Browsing (GSB) status remains unconfirmed or neutral in available checks, and preliminary blocklist queries indicate no prior listings. These factors suggest a recently activated or highly targeted campaign designed to bypass automated detection mechanisms.  

The current status of smartprotocoltoken.web.app is classified as active and under investigation, with no immediate mitigation by major threat intelligence platforms. Given its low detection footprint and effective impersonation of a major financial brand, the residual risk to cryptocurrency users and brand reputation remains elevated. As a precautionary measure, users are strongly advised to verify any URL containing 'okx' or similar trading-related keywords, cross-reference SSL certificates, and avoid accessing trading platforms via third-party links received via email, social media, or unofficial advertisements. Organizations should add the domain to internal blocklists, monitor network egress for connections to its IP, and update user awareness programs to highlight this specific impersonation pattern. While the immediate threat is under active evaluation, the absence of detections underscores the need for heightened vigilance in the cryptocurrency ecosystem.

## EVIDENCE HASHES
----------------------------------------------------------------
TLS cert SHA-256:      38e3c92d485d84e61795f095cb3c5f8db07098cd4faa453f265668221022a6fc

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/smartprotocoltoken.web.app/
JSON API:          https://api.destroy.tools/v1/check?domain=smartprotocoltoken.web.app
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io