# PhishDestroy threat dossier — sol-drops.lol
================================================================

Fetched:   2026-04-30 21:23:04 UTC
Canonical: https://phishdestroy.io/domain/sol-drops.lol/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 97/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Solana

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      2/94 security vendors flagged this domain
  Flagging vendors: alphaMountain.ai, Gridinsoft

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      188.114.96.3 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     CloudFlare, Inc.
Registrar:       Global Domain Group LLC
Nameservers:     johnny.ns.cloudflare.com, kenia.ns.cloudflare.com
Registered:      2026-04-23
Page title:      SolDrops
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E7
Expires:    2026-07-23
Status:     INVALID chain
Fingerprint: d82375a4bd65800ed4fc1581d72e0b3231ed237de280694e748454c384de9cf8

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-23 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-25 08:15:36 UTC (by PhishDestroy tracker)
First reported:    2026-04-25 05:16:38 UTC (abuse notice filed)
Last verified:     2026-04-30 18:06:41 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019dc30f-2c56-724c-913a-13b15de8155e/
URLQuery:         https://urlquery.net/report/be8baa2e-b3dc-46ac-917d-26c0863e010d
Wayback Machine:  https://web.archive.org/web/*/sol-drops.lol
crt.sh CT logs:   https://crt.sh/?q=%25.sol-drops.lol
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=sol-drops.lol
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/sol-drops.lol
URLhaus:          https://urlhaus.abuse.ch/host/sol-drops.lol/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-25 08:16:02 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies the newly registered domain sol-drops.lol as a generic phishing page currently under investigation for deploying a crypto drainer kit targeting Solana ecosystem users. This fraudulent site mimics legitimate airdrop campaigns, tricking victims into connecting wallets under the pretense of receiving free tokens. Crypto drainers like this one are increasingly common on .lol domains and have evolved from fake login portals to sophisticated, automated token-siphoning tools integrated with decentralized frontends. While this threat appears to be in active deployment, its exact drainer payload and targeting scope remain under forensic review as the kit may be dynamically served based on geolocation or user-agent.

Technical indicators for sol-drops.lol confirm a high-risk infrastructure setup. The domain resolves to 188.114.96.3 via Let’s Encrypt SSL (valid certificate), and was registered through Global Domain Group LLC on April 23, 2026. According to VirusTotal, the domain shows 0/95 detection coverage as of the latest scan — a concerning indicator of delayed threat intelligence propagation. No current blocklist entries were found during initial assessment, with Google Safe Browsing status remaining unflagged. The .lol TLD has been repeatedly abused for crypto scams due to low barriers of registration and perceived novelty, enabling quick turnaround for malicious campaigns before takedowns occur.

As of today, sol-drops.lol remains active and accessible, with no confirmed takedown action initiated by hosting or registrar providers. The domain’s recent creation date (April 23, 2026) suggests a campaign in early deployment, likely targeting users anticipating Solana ecosystem airdrops. While the risk level is currently labeled under_investigation, the absence of VirusTotal detections and lack of network blocklisting increases exposure for unsuspecting users. Users are strongly advised to avoid interacting with this domain and to verify any airdrop-related link through PhishDestroy’s real-time scanner or official Solana Foundation channels. Prompt reporting of wallet compromise and immediate revocation of connected permissions are critical to mitigate potential asset loss.

[Updates since narrative was generated:]
  - VirusTotal detections: now 2/94 (narrative was written when count was lower)

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260425-6999FD
Favicon MD5:       3c8b6314dfa262958c16db10f4f5eecb
TLS cert SHA-256:      d82375a4bd65800ed4fc1581d72e0b3231ed237de280694e748454c384de9cf8

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/sol-drops.lol/
JSON API:          https://api.destroy.tools/v1/check?domain=sol-drops.lol
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io