# PhishDestroy threat dossier — spx99x.net ================================================================ Fetched: 2026-07-13 01:18:25 UTC Canonical: https://phishdestroy.io/domain/spx99x.net/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Fake Airdrop Phishing kit: Token Presale ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 3/91 security vendors flagged this domain Flagging vendors: Forcepoint ThreatSeeker, Gridinsoft, SOCRadar Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 75.2.60.5 (US, Seattle) ASN: ASAS16509 AMAZON-02 - Amazon.com, Inc., US Hosting org: AS16509 Amazon.com, Inc. Registrar: Ultahost, Inc. Nameservers: keira.ns.cloudflare.com, rayden.ns.cloudflare.com Registered: 2026-07-01 Expires: 2027-07-01 Page title: The SPX99X Token Official Presale Is Now Live HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YE2 Expires: 2026-09-29 Status: INVALID chain Fingerprint: eece782edb53d8cf554b4b47faa287bdba3284ee9189b61652cd61cf4d4c25d5 Subject Alternative Names (related infrastructure — often same operator): - www.spx99x.net ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-07-01 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-06 07:29:04 UTC (by PhishDestroy tracker) Last verified: 2026-07-13 03:00:31 UTC Neutralised: 2026-07-06 12:17:36 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f35e5-f31d-7269-b9f7-27622c2be826/ Wayback Machine: https://web.archive.org/web/*/spx99x.net crt.sh CT logs: https://crt.sh/?q=%25.spx99x.net Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=spx99x.net AlienVault OTX: https://otx.alienvault.com/indicator/domain/spx99x.net URLhaus: https://urlhaus.abuse.ch/host/spx99x.net/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-06 07:35:13 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain poses a specific threat as a crypto drainer, impersonating an official token presale. The page title 'The SPX99X Token Official Presale Is Now Live' suggests that the domain is attempting to deceive users into believing they are participating in a legitimate presale for a cryptocurrency token. This deception could lead to the unauthorized transfer of funds or the theft of personal information, posing significant financial and security risks. Analysis indicates that the domain spx99x.net has not been flagged by VirusTotal, with 0/95 detections. The domain is registered through Ultahost, Inc. and was created on July 01, 2026. The infrastructure analysis reveals that the domain resolves to the IP address 75.2.60.5 and utilizes Netlify for hosting, indicating a potentially sophisticated setup. The presence of an HSTS (HTTP Strict Transport Security) header and a Let's Encrypt SSL certificate further suggest that the domain operators are attempting to enhance the legitimacy of the site and secure user communications, which can make the deception more convincing. If users have visited this domain, they should immediately check their cryptocurrency wallets and accounts for any unauthorized transactions. It is recommended to enable two-factor authentication (2FA) on all relevant accounts and review recent login activity. Users should also monitor their financial statements for any unusual activity and consider reporting the incident to their cryptocurrency exchange or financial institution. Additionally, users should avoid clicking on any links or entering personal information on the site and report the domain to security platforms and authorities if it is confirmed to be malicious. [Updates since narrative was generated:] - VirusTotal detections: now 3/91 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- TLS cert SHA-256: eece782edb53d8cf554b4b47faa287bdba3284ee9189b61652cd61cf4d4c25d5 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/spx99x.net/ JSON API: https://api.destroy.tools/v1/check?domain=spx99x.net Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,008 domains (49,746 alive under monitoring, 128,262 confirmed takedowns/dead). Site: https://phishdestroy.io