# PhishDestroy threat dossier — swapnow.gg
================================================================

Fetched:   2026-06-26 04:57:38 UTC
Canonical: https://phishdestroy.io/domain/swapnow.gg/

## VERDICT
----------------------------------------------------------------
ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_split) (score: 1/6)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      14/91 security vendors flagged this domain
  Flagging vendors: alphaMountain.ai, BitDefender, Chong Lua Dao, CRDF, CyRadar, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, Lionic, SOCRadar, Sophos, VIPRE
AlienVault OTX:  2 pulses (threat-intel feed mentions)
Public blocklists: listed on 3 independent blocklists

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      64.29.17.65
Page title:      SwapNow

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / R12
Expires:    2026-07-15
Status:     INVALID chain
Fingerprint: 3c78e7ef31a1773b826ef5129146157620d19b97f2de5b051a033dd359067ecf

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
First detected:    2026-06-09 16:14:55 UTC (by PhishDestroy tracker)
First reported:    2026-06-09 14:23:04 UTC (abuse notice filed)
Last verified:     2026-06-26 04:20:34 UTC
Neutralised:       2026-06-15 00:50:29 UTC
Current status:    ACTIVE — cloaked behind HTTP 666 to evade scanners

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019eacbd-9dab-70dc-a02c-16c675654941/
URLQuery:         https://urlquery.net/report/12478ff6-e0d9-4983-91ab-62db3766822e
Wayback Machine:  https://web.archive.org/web/*/swapnow.gg
crt.sh CT logs:   https://crt.sh/?q=%25.swapnow.gg
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=swapnow.gg
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/swapnow.gg
URLhaus:          https://urlhaus.abuse.ch/host/swapnow.gg/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-06-26 00:41:29 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

This domain, swapnow.gg, is identified as a crypto drainer phishing site designed to exploit users engaging in cryptocurrency transactions. Analysis indicates the domain impersonates legitimate token swap services, tricking victims into connecting their wallets to malicious smart contracts. Once connected, the site executes unauthorized transactions, draining funds from the victim’s wallet without consent. The threat specifically targets users of decentralized finance (DeFi) platforms, leveraging social engineering tactics to mimic trusted interfaces and urgency-driven prompts.  Evidence supporting this assessment includes detection by 14 out of 95 security vendors on VirusTotal, with the domain appearing on three security blocklists. The SSL certificate is issued by Let’s Encrypt, a common choice for both legitimate and malicious sites due to its free and automated nature. Infrastructure analysis reveals the domain resolves to the IP address 64.29.17.65, and it has been referenced in two threat intelligence pulses on AlienVault OTX. Technologies detected on the site include Node.js, React, Vercel, Next.js, HSTS, and Webpack, which are consistent with modern web applications but do not inherently indicate legitimacy. The domain’s current status is offline, though this does not eliminate the risk of re-emergence under a similar or altered infrastructure.  Users who visited swapnow.gg or interacted with the site should take immediate action to mitigate potential damage. First, disconnect any wallet connections made to the domain via wallet management interfaces. Review all recent transactions for unauthorized activity, particularly those involving token approvals or transfers. Revoke any suspicious token approvals using a blockchain explorer or dedicated revocation tool. Monitor wallet addresses for further anomalies and consider transferring remaining assets to a new, secure wallet if compromise is confirmed. Additionally, scan the device used to access the site for malware, as phishing domains may deploy additional payloads. Report the incident to relevant security teams or platforms to aid in broader threat mitigation efforts.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260609-65AF4B
Favicon MD5:       1b292d5c8568c24d0d72f3afbee9c2e8
TLS cert SHA-256:      3c78e7ef31a1773b826ef5129146157620d19b97f2de5b051a033dd359067ecf

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/swapnow.gg/
JSON API:          https://api.destroy.tools/v1/check?domain=swapnow.gg
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 170,051 domains (12,352 alive under monitoring, 157,076 confirmed takedowns/dead). Site: https://phishdestroy.io