# PhishDestroy threat dossier β€” thecryptopunks.com ================================================================ Fetched: 2026-07-04 09:47:49 UTC Canonical: https://phishdestroy.io/domain/thecryptopunks.com/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED β€” returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring β€” see methodology below) Cloaking: DETECTED β€” domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 16/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, ChainPatrol, alphaMountain.ai, BitDefender, Chong Lua Dao, CRDF, CyRadar, Fortinet, G-Data, Google Safebrowsing, Gridinsoft, Kaspersky, Lionic, Sophos, VIPRE, Webroot URLQuery: 2 detections Public blocklists: listed on 3 independent blocklists Google Safe Browsing: FLAGGED ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.97.3 (US, San Francisco) ASN: ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US Hosting org: AS13335 Cloudflare, Inc. Registrar: Gname.com Pte. Ltd. Nameservers: andy.ns.cloudflare.com, irena.ns.cloudflare.com Registered: 2025-11-19 Expires: 2027-11-19 Page title: What Drives XRP Price? Discover Top Factors & Trends πŸš€πŸ“Š HTTP response: 200 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet β€” this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2025-11-19 (per WHOIS / CT β€” may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-02 20:49:58 UTC (by PhishDestroy tracker) First reported: 2026-07-02 18:56:42 UTC (abuse notice filed) Last verified: 2026-07-04 08:20:35 UTC Current status: ACTIVE β€” cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f2429-6e54-7120-86f1-0e61af33e5fa/ URLQuery: https://urlquery.net/report/9a14f616-694a-4fd9-a378-c25e8dcef66d Wayback Machine: https://web.archive.org/web/*/thecryptopunks.com crt.sh CT logs: https://crt.sh/?q=%25.thecryptopunks.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=thecryptopunks.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/thecryptopunks.com URLhaus: https://urlhaus.abuse.ch/host/thecryptopunks.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-02 20:55:28 UTC β€” narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain is flagged as a crypto investment scam, specifically designed to exploit interest in XRP price trends through social engineering tactics. The site presents itself as an analytical resource but is structured to deceive users into disclosing sensitive financial information or transferring cryptocurrency under false pretenses. The risk level remains under investigation due to emerging indicators, though initial analysis suggests a high potential for financial harm to targeted individuals. Analysis indicates the domain was registered on November 19, 2025, through Gname.com Pte. Ltd., a registrar frequently associated with newly created phishing and scam domains. It resolves to the IP address 188.114.96.3, which has been observed in other low-reputation hosting environments. VirusTotal reports 0 out of 95 security vendors flagging the domain, though this lack of detection may reflect its recent creation rather than benign intent. The domain appears on one security blocklist, and Google Safe Browsing has issued a SOCIAL_ENGINEERING warning. The SSL certificate is issued by Let’s Encrypt, a common but not inherently trustworthy provider often exploited by malicious actors to lend a false sense of legitimacy. InversionDNS has already blocked resolution, further corroborating suspicions of fraudulent activity. Mitigation steps for this type of threat include immediate blocking of the domain at the DNS or network level to prevent user access. Organizations should update security policies to flag domains registered within the last 30 days, particularly those using registrars with histories of abuse. End users should be educated to verify the legitimacy of financial or investment-related websites, especially those making unsolicited claims about cryptocurrency trends. If financial data or cryptocurrency transactions have already occurred, affected parties should report the incident to relevant financial authorities and monitor accounts for unauthorized activity. Additional scrutiny should be applied to domains impersonating analytical or market research content, as these are increasingly used to lend credibility to scams targeting retail investors. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260702-D275B2 Favicon MD5: b4b2960c97ae45e5957811171a20590c ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe β€” new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/thecryptopunks.com/ JSON API: https://api.destroy.tools/v1/check?domain=thecryptopunks.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,430 domains (12,731 alive under monitoring, 160,880 confirmed takedowns/dead). Site: https://phishdestroy.io