# PhishDestroy threat dossier — tokendistribution.org
================================================================

Fetched:   2026-06-28 21:57:19 UTC
Canonical: https://phishdestroy.io/domain/tokendistribution.org/

## VERDICT
----------------------------------------------------------------
TAKEN DOWN (neutralised)
Composite threat score: 87/100 (PhishDestroy scoring — see methodology below)
Scam classification: Fake Giveaway
Targeted brand: OKX

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      5/91 security vendors flagged this domain
  Flagging vendors: alphaMountain.ai, CRDF, Ermes, Google Safebrowsing, Gridinsoft
URLQuery:        4 detections
Public blocklists: listed on 1 independent blocklist
Google Safe Browsing: FLAGGED

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      104.21.81.184 (US, San Francisco)
ASN:             ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US
Hosting org:     AS13335 Cloudflare, Inc.
Registrar:       Global Domain Group LLC
Nameservers:     adam.ns.cloudflare.com, danica.ns.cloudflare.com
Registered:      2026-06-02
Expires:         2027-06-02

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WE1
Expires:    2026-09-06
Status:     INVALID chain
Fingerprint: bcd8f3436c221fb078a7cf4f7361cc05ce987fbf90bc6edc51b6833115517c1e

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: CLOSED — no report required.
This domain was neutralised before the abuse-report cycle could be dispatched — either
the hosting provider / registrar suspended it on their own, the DNS went dead, or the
operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file
for audit but no formal notice was sent.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-06-02 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-06-24 22:57:16 UTC (by PhishDestroy tracker)
First reported:    2026-06-24 20:59:06 UTC (abuse notice filed)
Last verified:     2026-06-28 20:20:36 UTC
Neutralised:       2026-06-25 12:18:56 UTC
Current status:    taken down (registrar suspended or DNS dead)

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019efb6a-a585-751a-bdf7-2cad6b08b26e/
URLQuery:         https://urlquery.net/report/3b75466f-3e95-402b-967a-b89a156c0d79
Wayback Machine:  https://web.archive.org/web/*/tokendistribution.org
crt.sh CT logs:   https://crt.sh/?q=%25.tokendistribution.org
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=tokendistribution.org
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/tokendistribution.org
URLhaus:          https://urlhaus.abuse.ch/host/tokendistribution.org/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-06-26 13:38:37 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

This domain, tokendistribution.org, is flagged as an elevated-risk phishing operation designed to deceive users through fake token distribution schemes. Analysis indicates the threat type aligns with cryptocurrency drainer tactics, where victims are lured into connecting wallets to fraudulent platforms under the guise of legitimate airdrops or token allocations. The domain’s infrastructure and rapid deployment suggest a targeted campaign aimed at exploiting current trends in decentralized finance (DeFi) and token launches.  Infrastructure analysis reveals multiple technical indicators of malicious intent. The domain resolves to IP address 172.67.163.97, a hosting provider frequently associated with phishing and scam operations. It was registered on June 02, 2026, through Global Domain Group LLC, a registrar commonly used for short-lived malicious domains. Google Safe Browsing has explicitly flagged the domain as phishing, and it appears on at least one security blocklist. VirusTotal reports detection by 5 out of 95 security vendors, further corroborating its malicious classification. The SSL certificate, issued by Google Trust Services (WE1), does not mitigate the risk, as valid encryption is routinely exploited by threat actors to lend false legitimacy to phishing sites.  Mitigation against this specific threat requires a multi-layered approach. Users should verify token distribution announcements exclusively through official project channels, such as verified social media accounts or direct communications from known team members. Wallet connections should never be authorized on unfamiliar domains, particularly those promising unsolicited token allocations. Organizations and individuals are advised to block the domain and its associated IP (172.67.163.97) at the network level, and to monitor for similar domains registered through the same registrar. Security teams should prioritize updating detection rules to include this domain’s indicators of compromise, including its SSL certificate fingerprint and registration details, to prevent future exposure to this campaign or its variants.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260624-9EB7D2
Favicon MD5:       a270fd5daecd08e3865a9e168a599a8c
TLS cert SHA-256:      bcd8f3436c221fb078a7cf4f7361cc05ce987fbf90bc6edc51b6833115517c1e

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/tokendistribution.org/
JSON API:          https://api.destroy.tools/v1/check?domain=tokendistribution.org
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 172,053 domains (13,439 alive under monitoring, 158,116 confirmed takedowns/dead). Site: https://phishdestroy.io