# PhishDestroy threat dossier — tetreumtoken.com
================================================================

Fetched:   2026-04-21 21:45:25 UTC
Canonical: https://phishdestroy.io/domain/tetreumtoken.com/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 87/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: OKX

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      0/95 security vendors flagged this domain
URLQuery:        3 detections

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      91.92.240.105 (DE, Frankfurt am Main)
ASN:             AS202412 Omegatech LTD
Hosting org:     Omegatech LTD
Registrar:       Cloudflare, Inc.
Nameservers:     aitana.ns.cloudflare.com, norman.ns.cloudflare.com
Registered:      2026-04-17
Page title:      Tetreum Official Presale with up to 200% bonus
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / R13
Expires:    2026-07-19
Status:     INVALID chain
Fingerprint: dd4df4c95bb03f16d84f066d27f93ff2657dc5ce3d32871465d74fc5ed3bb5a3
Subject Alternative Names (related infrastructure — often same operator):
  - www.tetreumtoken.com

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-17 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-21 03:53:03 UTC (by PhishDestroy tracker)
First reported:    2026-04-21 00:54:09 UTC (abuse notice filed)
Last verified:     2026-04-21 23:06:03 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019dad85-a76c-714a-bea2-63d7327cf30e/
URLQuery:         https://urlquery.net/report/eadd4d8e-44fa-4fd4-bd08-0d35dbf73ff4
Wayback Machine:  https://web.archive.org/web/*/tetreumtoken.com
crt.sh CT logs:   https://crt.sh/?q=%25.tetreumtoken.com
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=tetreumtoken.com
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/tetreumtoken.com
URLhaus:          https://urlhaus.abuse.ch/host/tetreumtoken.com/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-21 03:54:01 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy has flagged tetreumtoken.com as a live brand-impersonation site that clones the global OKX exchange. This domain was registered on April 17, 2026, through Cloudflare, Inc. and is already resolving to IP address 91.92.240.105 while sporting a valid Let’s Encrypt SSL certificate. Although VirusTotal currently reports 0 detections out of 95 scanners, the site’s recent creation date and exact replication of the OKX brand design make it a credible risk for credential theft and financial fraud.  The threat is clear: criminals are using a newly minted domain to trick visitors into believing they are on the official OKX website. Once a user logs in, their credentials and any multi-factor tokens are harvested, giving attackers full control over linked trading accounts. The low detection rate does not reflect true safety; newly registered domains often fly under the radar until after users have already been compromised. The combination of a recent registration date, Cloudflare hosting, and a spoofed design is a classic hallmark of short-lived brand-impersonation campaigns.  If you visited tetreumtoken.com, stop using the site immediately. Log in to your genuine OKX account only via the official okx.com domain or the OKX mobile app, then enable two-factor authentication and review any unauthorized withdrawal requests. Report the fake site to OKX’s abuse team and run a full malware scan on all devices you used to access the phishing page. Finally, change the password on your OKX account with a unique strong password and consider revoking any API keys that may have been exposed.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260421-B7B05D
TLS cert SHA-256:      dd4df4c95bb03f16d84f066d27f93ff2657dc5ce3d32871465d74fc5ed3bb5a3

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/tetreumtoken.com/
JSON API:          https://api.destroy.tools/v1/check?domain=tetreumtoken.com
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io