# PhishDestroy threat dossier — tradespherefx.top ================================================================ Fetched: 2026-05-01 07:20:43 UTC Canonical: https://phishdestroy.io/domain/tradespherefx.top/ ## VERDICT ---------------------------------------------------------------- HIGH THREAT — malicious activity confirmed Composite threat score: 76/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 3/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, Forcepoint ThreatSeeker, Gridinsoft ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 37.49.229.75 (NL, Amsterdam) ASN: AS3920 PUSHPKT OU Hosting org: ESTOXY OU Registrar: Global Domain Group LLC Nameservers: ["ns1.controlpanel.sbs.", "ns2.controlpanel.sbs."] Registered: 2026-04-28 Page title: TradeSphereFx — Home HTTP response: 530 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-07-13 Status: INVALID chain Fingerprint: 66a3e8b8f9ec19dca70a66427beb490146a9dcfb80e8aa35c33c42c8f9bad99a ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-28 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-28 10:14:16 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-04-28 07:14:55 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-05-01 03:36:36 UTC Current status: ACTIVE / observable Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dd2ed-fcf0-742a-93d7-6296968f651f/ URLQuery: https://urlquery.net/report/e7919954-aad5-46bd-8c80-afd8c28dcfe3 Wayback Machine: https://web.archive.org/web/*/tradespherefx.top crt.sh CT logs: https://crt.sh/?q=%25.tradespherefx.top Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=tradespherefx.top AlienVault OTX: https://otx.alienvault.com/indicator/domain/tradespherefx.top URLhaus: https://urlhaus.abuse.ch/host/tradespherefx.top/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-28 10:15:13 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies tradespherefx.top as an active crypto-investment scam that surfaced on October 13, 2025 and presently resolves to 37.49.229.75. This domain masquerades as a legitimate forex trading platform while harvesting credentials and cryptocurrency deposits from victims. The risk level is under_investigation yet the site remains live, indicating imminent danger to any user who registers or logs in. This domain was flagged with zero detections out of 95 engines on VirusTotal, suggesting a minimal footprint in current threat-intelligence feeds. The registration was conducted through Global Domain Group LLC, a registrar known for bulk low-cost sales that often obfuscate true ownership. The IP address 37.49.229.75 hosts multiple newly minted domains and has no positive reputation scores on public blocklists or web-reputation engines. Let’s Encrypt issued an SSL certificate on the day of creation, providing a veneer of legitimacy. The short domain age (one week) and absence of historical data make it a prime candidate for fast-flux or bullet-proof hosting strategies. Mitigation for this credential-harvesting and cryptocurrency theft campaign begins with immediate DNS-based blocking of tradespherefx.top and 37.49.229.75 at the firewall or secure-web-gateway layer. End-users should refrain from visiting the site or entering any personal or financial information; TLS warnings should be enforced regardless of certificate issuer. Security teams should alert affected user populations via out-of-band channels and collect telemetry from DNS and proxy logs to identify additional victims. Finally, revocation of the Let’s Encrypt certificate via the ACME protocol can degrade the site’s perceived legitimacy while incident responders prepare takedown requests to the hosting provider and registrar. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260428-972F9E TLS cert SHA-256: 66a3e8b8f9ec19dca70a66427beb490146a9dcfb80e8aa35c33c42c8f9bad99a ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/tradespherefx.top/ JSON API: https://api.destroy.tools/v1/check?domain=tradespherefx.top Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io