# PhishDestroy threat dossier — tasselg.cyou ================================================================ Fetched: 2026-05-07 13:16:16 UTC Canonical: https://phishdestroy.io/domain/tasselg.cyou/ ## VERDICT ---------------------------------------------------------------- HIGH THREAT — malicious activity confirmed Composite threat score: 63/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 17/95 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, AlphaSOC, BitDefender, Chong Lua Dao, Dr.Web, ESET, Forcepoint ThreatSeeker, Fortinet, G-Data, Kaspersky, Lionic, Seclookup, SOCRadar, Sophos, VIPRE, Webroot URLQuery: 2 detections Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 37.77.150.150 Registrar: Dynadot LLC Nameservers: ns1.dyna-ns.net, ns2.dyna-ns.net Registered: 2026-01-29 Page title: Plesk Obsidian 18.0.77 HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-08-04 Status: INVALID chain Fingerprint: 84a5c33c0c2eb7383101824a9c48ee64e5abc1c367b8a105753c215585100e9f Subject Alternative Names (related infrastructure — often same operator): - admiring-poincare.37-77-150-150.plesk.page ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-01-29 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-07 14:04:52 UTC (by PhishDestroy tracker) First reported: 2026-05-07 11:05:34 UTC (abuse notice filed) Last verified: 2026-05-07 16:00:08 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e021b-d459-77ca-b0db-8064ed9115bf/ URLQuery: https://urlquery.net/report/ea614060-af6d-4c35-88dc-02407a289fad Wayback Machine: https://web.archive.org/web/*/tasselg.cyou crt.sh CT logs: https://crt.sh/?q=%25.tasselg.cyou Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=tasselg.cyou AlienVault OTX: https://otx.alienvault.com/indicator/domain/tasselg.cyou URLhaus: https://urlhaus.abuse.ch/host/tasselg.cyou/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-07 14:05:27 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] tasselg.cyou operates as a crypto-drainer scam, a type of phishing site designed to trick users into connecting their cryptocurrency wallets and drain funds. The domain does not impersonate a specific brand but uses social engineering tactics to lure victims, likely through cryptocurrency giveaway schemes, fake NFT mints, or fraudulent investment platforms. Crypto-drainers are a growing subset of phishing attacks, often equipped with malicious JavaScript libraries such as the widely distributed 'drainer-as-a-service' kits sold on darknet forums. These kits automate wallet scanning and transaction execution without requiring the victim to manually approve transactions, increasing the risk of rapid financial loss once a wallet is connected. PhishDestroy identifies this domain as an active crypto-drainer threat with elevated risk. This domain was flagged by 17 out of 95 VirusTotal security vendors as malicious, indicating significant consensus among threat intelligence platforms. tasselg.cyou was registered through Dynadot LLC on January 29, 2026, a recent creation suggesting a short-lived campaign. The site resolves to IP address 37.77.150.150 and uses a Let's Encrypt SSL certificate, which is commonly abused by threat actors due to its ease of issuance and legitimate appearance. Google Safe Browsing (GSB) has not yet flagged the domain, but it is blocked by Maltrail and appears on one public blocklist. These technical indicators confirm a newly active, low-profile threat actor using modern infrastructure to evade detection. As of the latest intelligence, tasselg.cyou remains active and poses an elevated risk to cryptocurrency users. While blocklists like Maltrail provide immediate protection, the domain’s recent registration and low detection rate mean it may evade broader security measures. Users are advised to avoid interacting with tasselg.cyou or similar domains, especially those involved in crypto transactions. Always verify URLs via known reputable sources and use hardware wallets or transaction simulation tools before connecting. Monitor wallet activity closely and report unauthorized transactions immediately. While this domain is currently on limited blocklists, its threat profile can rapidly escalate as more intelligence surfaces. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260507-61596D TLS cert SHA-256: 84a5c33c0c2eb7383101824a9c48ee64e5abc1c367b8a105753c215585100e9f ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/tasselg.cyou/ JSON API: https://api.destroy.tools/v1/check?domain=tasselg.cyou Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 146,920 domains (52,557 alive under monitoring, 94,029 confirmed takedowns/dead). Site: https://phishdestroy.io