# PhishDestroy threat dossier — spendcrypt.com ================================================================ Fetched: 2026-07-03 16:00:23 UTC Canonical: https://phishdestroy.io/domain/spendcrypt.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 77/100 (PhishDestroy scoring — see methodology below) Scam classification: cryptocurrency ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/94 security vendors flagged this domain Flagging vendors: alphaMountain.ai Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 109.73.205.72 (RU, Moscow) ASN: AS9123 JSC TIMEWEB Hosting org: TimeWeb Ltd Registered: 2026-04-25 Page title: Trust Card – Spend Crypto Like Cash. No Verification ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E7 Expires: 2026-07-23 Status: INVALID chain Fingerprint: 771b746393a5c853abaf6e4ff908b278dc8effb82512f5a3250c6a99a4925cbe Subject Alternative Names (related infrastructure — often same operator): - www.spendcrypt.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-25 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-25 12:20:32 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-04-25 09:22:12 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-07-03 16:20:36 UTC Neutralised: 2026-05-09 04:34:12 UTC Current status: taken down (registrar suspended or DNS dead) Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dc3f0-3ea1-7502-b929-d71516b0f458/ URLQuery: https://urlquery.net/report/23640f90-4f4a-4921-ae5c-c44c332a07a2 Wayback Machine: https://web.archive.org/web/*/spendcrypt.com crt.sh CT logs: https://crt.sh/?q=%25.spendcrypt.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=spendcrypt.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/spendcrypt.com URLhaus: https://urlhaus.abuse.ch/host/spendcrypt.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-25 12:21:31 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies SpendCrypt.com as a live credential-phishing domain actively soliciting cryptocurrency wallet logins. The site is classified as an active phishing threat and remains under investigation due to the high risk of financial loss. Any interaction with this domain may expose wallet credentials, private keys, or seed phrases to an unknown attacker-controlled server. This domain was flagged by PhishDestroy with VirusTotal showing 1/95 detections at the time of inspection, indicating that mainstream scanners have not yet updated their signatures. SpendCrypt.com utilizes a Let’s Encrypt SSL certificate, which does not confirm legitimacy. The registrar is not specified in available records, and the domain resolves to an IP address that has yet to be flagged by major blocklists such as Google Safe Browsing, PhishTank, or OpenPhish. Domain creation and expiration dates are currently undisclosed in public WHOIS records, further masking its operational timeline and potential longevity. To mitigate exposure to credential theft via SpendCrypt.com, users should avoid visiting the site entirely and never enter any wallet credentials, recovery phrases, or private keys. Organizations are advised to block the domain at the network firewall level and monitor DNS logs for resolution attempts. Security teams should also inspect internal endpoints for any outbound connections to the domain’s IP or subdomains. If credentials were entered, immediately revoke access to the associated cryptocurrency wallets and initiate a full security audit of connected devices. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260425-E8EF42 TLS cert SHA-256: 771b746393a5c853abaf6e4ff908b278dc8effb82512f5a3250c6a99a4925cbe ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/spendcrypt.com/ JSON API: https://api.destroy.tools/v1/check?domain=spendcrypt.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,403 domains (13,595 alive under monitoring, 159,990 confirmed takedowns/dead). Site: https://phishdestroy.io