# PhishDestroy threat dossier — suite-en-home-trizor.pages.dev
================================================================

Fetched:   2026-04-26 00:07:59 UTC
Canonical: https://phishdestroy.io/domain/suite-en-home-trizor.pages.dev/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 98/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Trezor

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      3/94 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, Kaspersky, LevelBlue

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      172.66.44.93 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     Cloudflare, Inc.
Registrar:       Cloudflare, Inc.
Nameservers:     ara.ns.cloudflare.com, rob.ns.cloudflare.com
Registered:      2026-04-14
Page title:      Trezor® Suite - Advanced Hardware Wallet Security Platform | Ultimate Guide
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WE1
Expires:    2026-07-05
Status:     INVALID chain
Fingerprint: 55f381ca0bda1dbf171c792cd1f84227c75dd0add71e9c7e2aef69142d74a6bc

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-14 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-14 19:35:56 UTC (by PhishDestroy tracker)
Last verified:     2026-04-22 19:40:16 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019d8cd7-b7c1-701b-be87-2a59e722bb87/
Wayback Machine:  https://web.archive.org/web/*/suite-en-home-trizor.pages.dev
crt.sh CT logs:   https://crt.sh/?q=%25.suite-en-home-trizor.pages.dev
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=suite-en-home-trizor.pages.dev
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/suite-en-home-trizor.pages.dev
URLhaus:          https://urlhaus.abuse.ch/host/suite-en-home-trizor.pages.dev/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-14 19:37:41 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

suite-en-home-trizor.pages.dev has been flagged by PhishDestroy for active brand impersonation of Trezor, a leading hardware wallet manufacturer. The page falsely presents itself as “Trezor® Suite - Advanced Hardware Wallet Security Platform | Ultimate Guide,” leveraging Trezor’s trademarked branding to deceive users into believing it is an official or endorsed platform. This tactic is commonly used to harvest credentials, distribute malware, or redirect victims to fake wallet recovery pages designed to steal cryptocurrency assets. Given the high trust in Trezor’s brand within the crypto community, the risk of user deception is elevated, especially among less technical users seeking secure wallet solutions.  This domain was flagged with a risk level of “under_investigation” and remains active despite zero detections on VirusTotal (0/95 engines) at the time of analysis. The site is registered through Cloudflare, Inc., resolving to IP 172.66.44.93 via Cloudflare’s proxy network. While the SSL certificate is issued by Google Trust Services, this alone does not validate legitimacy, as threat actors frequently abuse trusted issuers to appear credible. The page title directly mimics Trezor’s official branding, and the use of Cloudflare hosting further obscures the true origin of the site. No confirmed presence on major blocklists (e.g., Google Safe Browsing, PhishTank) was detected at this time, suggesting this domain may be newly deployed or actively evading detection.  Mitigation for users is straightforward and urgent: do not visit suite-en-home-trizor.pages.dev or interact with its contents. Trezor users should only access Suite via the official domain suite.trezor.com. If a user has already entered wallet credentials or recovery phrases on this domain, they should immediately transfer all assets to a newly generated wallet on the official platform and consider all prior recovery phrases compromised. Organizations should include this domain in DNS filtering policies and alert users through internal security channels. Security teams are advised to monitor for similar impersonation domains leveraging Trezor’s brand, especially those hosted on Cloudflare or using similar naming patterns (e.g., “suite-”, “trizor”, “home-”). Early detection and takedown remain critical to prevent financial loss and reputational damage.

[Updates since narrative was generated:]
  - VirusTotal detections: now 3/94 (narrative was written when count was lower)

## EVIDENCE HASHES
----------------------------------------------------------------
TLS cert SHA-256:      55f381ca0bda1dbf171c792cd1f84227c75dd0add71e9c7e2aef69142d74a6bc

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/suite-en-home-trizor.pages.dev/
JSON API:          https://api.destroy.tools/v1/check?domain=suite-en-home-trizor.pages.dev
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io