# PhishDestroy threat dossier — topupday.net.ng
================================================================

Fetched:   2026-04-23 11:17:22 UTC
Canonical: https://phishdestroy.io/domain/topupday.net.ng/

## VERDICT
----------------------------------------------------------------
ACTIVE THREAT — multiple warning signs
Composite threat score: 55/100 (PhishDestroy scoring — see methodology below)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      0/95 security vendors flagged this domain
URLQuery:        2 detections

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      163.61.188.9 (US, Staten Island)
ASN:             AS153568 NEW DHAKA HARDWARE
Hosting org:     MIT
Registrar:       REGISTRAR_NOT_FOUND
Nameservers:     dns1.lytehosting.com, dns2.lytehosting.com, dns3.lytehosting.com, dns4.lytehosting.com
Registered:      2026-04-23
Page title:      topupday
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / R13
Expires:    2026-06-07
Status:     INVALID chain
Fingerprint: 6a0466c518151a61658e49d9ece0c1c5cdcfd69cb1196b48fd34545f637a60ba

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-23 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-23 07:41:50 UTC (by PhishDestroy tracker)
Earliest abuse rec: 2026-04-23 04:43:07 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name
Last verified:     2026-04-23 13:50:04 UTC
Current status:    ACTIVE / observable

Note: one or more events above predate the WHOIS creation date. This typically means
the same domain name was previously registered, detected, dropped, and then re-registered
by a new party. PhishDestroy preserves the full historical record for operator-attribution
research even when the underlying infrastructure changes hands.

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019db8a3-e6d7-709c-a862-bc0f11bf7827/
URLQuery:         https://urlquery.net/report/e96f4c27-3569-412c-ab87-13db192ee8da
Wayback Machine:  https://web.archive.org/web/*/topupday.net.ng
crt.sh CT logs:   https://crt.sh/?q=%25.topupday.net.ng
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=topupday.net.ng
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/topupday.net.ng
URLhaus:          https://urlhaus.abuse.ch/host/topupday.net.ng/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-23 07:42:48 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

topupday.net.ng has been flagged as a generic phishing domain under active investigation, specifically identified as a crypto drainer impersonating credential harvesting portals. Current risk assessment remains under investigation; however, the domain’s operational characteristics and lack of detections warrant heightened caution. Users interacting with this domain risk unauthorized fund transfers or credential compromise, emphasizing the need for immediate verification.  PhishDestroy identifies topupday.net.ng resolving to IP 163.61.188.9, utilizing a Let’s Encrypt SSL certificate. VirusTotal reports 0 out of 95 security vendors flagged the domain, indicating no current blocklist presence. The domain’s infrastructure lacks transparency, with no available data on registrar, creation date, or trust scores, suggesting a recent or deliberately obscured setup. These factors amplify the threat potential, as malicious actors often leverage freshly registered domains to evade detection until abuse is widespread.  Mitigation for this crypto drainer threat involves immediate domain blocking at the network and endpoint levels. Users should avoid accessing topupday.net.ng and verify any similar domains through PhishDestroy’s threat intelligence platform. Organizations are advised to update firewall rules, DNS sinkholes, and SIEM queries to detect and block traffic to this IP (163.61.188.9) and associated domains. Proactive user awareness campaigns highlighting crypto drainer tactics—such as fake login portals and unsolicited fund transfer requests—are critical to reducing exposure. PhishDestroy continues monitoring this domain, and further updates will be provided as the investigation progresses.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260423-D142B0
TLS cert SHA-256:      6a0466c518151a61658e49d9ece0c1c5cdcfd69cb1196b48fd34545f637a60ba

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/topupday.net.ng/
JSON API:          https://api.destroy.tools/v1/check?domain=topupday.net.ng
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io