# PhishDestroy threat dossier — strt-begin-io-trezer.typedream.app
================================================================

Fetched:   2026-06-30 13:11:07 UTC
Canonical: https://phishdestroy.io/domain/strt-begin-io-trezer.typedream.app/

## VERDICT
----------------------------------------------------------------
ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Targeted brand: Trezor
Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 4/6)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      6/91 security vendors flagged this domain
  Flagging vendors: ChainPatrol, alphaMountain.ai, Kaspersky, LevelBlue, Netcraft, PhishFort
Public blocklists: listed on 3 independent blocklists

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      104.21.37.85 (US, San Francisco)
ASN:             ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US
Hosting org:     AS13335 Cloudflare, Inc.
Registrar:       Typedream
Nameservers:     NS_NOT_FOUND
Page title:      Trezor.io/Start® | Starting Up Your Device - Trezor®
HTTP response:   200

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
First detected:    2026-06-29 00:23:53 UTC (by PhishDestroy tracker)
Last verified:     2026-06-30 12:20:35 UTC
Current status:    ACTIVE — cloaked behind HTTP 666 to evade scanners

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019f1053-b643-7438-863e-3e96c90ed116/
Wayback Machine:  https://web.archive.org/web/*/strt-begin-io-trezer.typedream.app
crt.sh CT logs:   https://crt.sh/?q=%25.strt-begin-io-trezer.typedream.app
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=strt-begin-io-trezer.typedream.app
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/strt-begin-io-trezer.typedream.app
URLhaus:          https://urlhaus.abuse.ch/host/strt-begin-io-trezer.typedream.app/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-06-29 00:24:39 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

This domain, strt-begin-io-trezer.typedream.app, presents an elevated-risk phishing infrastructure specifically designed to impersonate Trezor, a hardware cryptocurrency wallet provider. The site mimics the official Trezor device initialization page, displaying the title 'Trezor.io/Start® | Starting Up Your Device - Trezor®' to deceive users into believing they are interacting with legitimate Trezor infrastructure. Such impersonation typically aims to harvest seed phrases, private keys, or other sensitive credentials, enabling attackers to drain cryptocurrency assets from victims' wallets. The use of official branding, including registered trademark symbols, increases the likelihood of successful social engineering, particularly among users unfamiliar with the authentic setup process.  Analysis of the domain reveals multiple technical indicators supporting its malicious classification. The domain is flagged by 3 out of 95 security vendors on VirusTotal, a relatively low but non-zero detection rate that suggests emerging or evasive phishing tactics. It resolves to the IP address 188.114.96.3 and employs an SSL certificate issued by Google Trust Services, which, while providing encryption, does not validate the legitimacy of the site's content. The domain is hosted on the typedream.app platform, a service that allows rapid deployment of web pages, which is frequently abused for phishing campaigns due to its low barrier to entry and lack of stringent content verification. No creation date or registrar details were provided, but the infrastructure aligns with patterns observed in short-lived, disposable phishing sites.  Users who have visited strt-begin-io-trezer.typedream.app or entered sensitive information on the site should assume their credentials or seed phrases have been compromised. Immediate actions include revoking any wallet access associated with the exposed credentials, transferring remaining assets to a new, secure wallet, and monitoring for unauthorized transactions. Affected users should also scan their devices for malware, as phishing sites may deploy additional payloads. To prevent future incidents, users are advised to verify domain authenticity by cross-referencing with official sources, such as the legitimate Trezor website, and to enable multi-factor authentication where available. Bookmarking verified URLs and avoiding links from unsolicited communications further reduces exposure to such threats.

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/strt-begin-io-trezer.typedream.app/
JSON API:          https://api.destroy.tools/v1/check?domain=strt-begin-io-trezer.typedream.app
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 172,677 domains (12,746 alive under monitoring, 159,341 confirmed takedowns/dead). Site: https://phishdestroy.io