# PhishDestroy threat dossier — tokenpocket-sync.com
================================================================

Fetched:   2026-04-24 15:06:34 UTC
Canonical: https://phishdestroy.io/domain/tokenpocket-sync.com/

## VERDICT
----------------------------------------------------------------
ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: OKX
Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 1/6)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      3/94 security vendors flagged this domain
  Flagging vendors: alphaMountain.ai, LevelBlue, SOCRadar

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      107.151.77.137 (CA, Toronto)
ASN:             AS132839 POWER LINE DATACENTER
Hosting org:     XeVPS L.L.C
Registrar:       Dominet (HK) Limited
Nameservers:     ["ns1.domainnamedns.com", "ns2.domainnamedns.com"]
Registered:      2026-04-15
Page title:      404 Not Found

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / R13
Expires:    2026-06-16
Status:     INVALID chain
Fingerprint: ffdcda0fd200c8fa72e1bdfe0411a9de03ab06b1ef068ce069d984ca530e2f0a
Subject Alternative Names (related infrastructure — often same operator):
  - m.tokenpocket-sync.com
  - wap.tokenpocket-sync.com
  - www.tokenpocket-sync.com

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-15 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-15 08:06:30 UTC (by PhishDestroy tracker)
Last verified:     2026-04-24 01:40:08 UTC
Neutralised:       2026-04-23 19:20:35 UTC
Current status:    ACTIVE — cloaked behind HTTP 666 to evade scanners

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019d8f84-eea2-7081-a7f7-5c5e7e23e6b9/
Wayback Machine:  https://web.archive.org/web/*/tokenpocket-sync.com
crt.sh CT logs:   https://crt.sh/?q=%25.tokenpocket-sync.com
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=tokenpocket-sync.com
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/tokenpocket-sync.com
URLhaus:          https://urlhaus.abuse.ch/host/tokenpocket-sync.com/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-15 08:06:52 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy has identified tokenpocket-sync.com as a brand impersonation attack targeting users of the OKX cryptocurrency exchange. The domain is designed to mimic OKX's official website in an attempt to steal user credentials or private keys. This poses a significant threat to individuals who may unknowingly interact with the fraudulent site, potentially leading to financial losses.

Technical indicators for tokenpocket-sync.com include a VirusTotal score of 0/95, indicating that it is not yet widely recognized as malicious. The domain was registered through Dominet (HK) Limited on October 16, 2025, and it resolves to the IP address 107.151.77.137. The site uses an SSL certificate issued by Let's Encrypt. There is currently no data about its GSB status or presence on public blocklists.

The domain tokenpocket-sync.com is currently active and under investigation. Users should exercise extreme caution and avoid entering any sensitive information on this website. PhishDestroy recommends blocking this domain and reporting it to relevant authorities to prevent further exploitation. The risk remains high until the domain is taken down or flagged by security vendors.

[Updates since narrative was generated:]
  - VirusTotal detections: now 3/94 (narrative was written when count was lower)

## EVIDENCE HASHES
----------------------------------------------------------------
Favicon MD5:       df0415f6ab5d10ff579b9a8ce40a2d0c
TLS cert SHA-256:      ffdcda0fd200c8fa72e1bdfe0411a9de03ab06b1ef068ce069d984ca530e2f0a

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/tokenpocket-sync.com/
JSON API:          https://api.destroy.tools/v1/check?domain=tokenpocket-sync.com
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io