# PhishDestroy threat dossier — spinix.today
================================================================

Fetched:   2026-04-22 10:36:54 UTC
Canonical: https://phishdestroy.io/domain/spinix.today/

## VERDICT
----------------------------------------------------------------
ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Crypto Casino / Gambling
Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: status_split) (score: 1/6)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      6/94 security vendors flagged this domain
  Flagging vendors: CyRadar, Forcepoint ThreatSeeker, Fortinet, G-Data, SOCRadar, Sophos

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      172.67.213.82 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     Cloudflare, Inc.
Registrar:       NICENIC INTERNATIONAL GROUP CO., LIMITED

!!! REGISTRAR INTEGRITY ALERT — NiceNIC !!!
NiceNIC International: over 90% of its registered domains are associated with
illegal content; documented systematic abuse-report non-response. Primary sources:
  https://phishdestroy.io/nicenic-real
  https://phishdestroy.io/nicenic-verdict

Nameservers:     ["fred.ns.cloudflare.com", "ophelia.ns.cloudflare.com"]
Registered:      2026-04-13
Page title:      Spinix: Most Popular Online Crypto Casino Based on Blockchain

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-13 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-13 09:36:43 UTC (by PhishDestroy tracker)
Last verified:     2026-04-21 16:11:47 UTC
Neutralised:       2026-04-13 09:38:18 UTC
Current status:    ACTIVE — cloaked behind HTTP 666 to evade scanners

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019d858d-819d-77e9-a6f5-00afbd0c8d81/
Wayback Machine:  https://web.archive.org/web/*/spinix.today
crt.sh CT logs:   https://crt.sh/?q=%25.spinix.today
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=spinix.today
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/spinix.today
URLhaus:          https://urlhaus.abuse.ch/host/spinix.today/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-13 09:37:23 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies spinix.today as an active crypto drainer phishing domain targeting cryptocurrency users. This domain employs a generic phishing approach to trick victims into connecting wallets or submitting seed phrases, likely leveraging fake login prompts or spoofed brand interfaces to siphon funds. No specific drainer kit has been attributed to this domain yet, but the modus operandi aligns with common crypto-draining operations observed in recent campaigns.

Technical analysis reveals spinix.today was registered with an alarmingly low VirusTotal detection ratio of 1 out of 95 security vendors as of the latest scan. The domain resolves to an IP address operated by Cloudflare, Inc. (AS13335), with a creation date of May 15, 2024. Notably, the domain boasts a valid SSL certificate issued by Google Trust Services, which may lend it an air of legitimacy to unsuspecting users. Despite this, the domain remains absent from Google Safe Browsing (GSB) blocklists and has not been flagged by major threat intelligence platforms, though it has already been recorded on 3 community-driven blocklists. These factors suggest a recently deployed and rapidly evolving threat.

As of this advisory, spinix.today remains active and poses an elevated risk to cryptocurrency users. Immediate defensive actions include adding the domain to organizational blocklists and flagging it within threat intelligence platforms. Users are strongly advised to avoid interacting with this domain and to verify any suspicious URLs using PhishDestroy’s real-time scanning tools. While current detections are low, the domain’s recent activity and lack of widespread recognition imply a high potential for escalation. Remaining risk factors include the domain’s use of legitimate-looking infrastructure (e.g., Cloudflare, Google SSL) and its untarnished reputation in most threat feeds, which could delay detection and mitigation efforts.

## EVIDENCE HASHES
----------------------------------------------------------------
Favicon MD5:       095b185e288ed8e4d934ac78fe6a4e2e

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/spinix.today/
JSON API:          https://api.destroy.tools/v1/check?domain=spinix.today
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io