# PhishDestroy threat dossier — transitswap.finance ================================================================ Fetched: 2026-07-03 20:39:45 UTC Canonical: https://phishdestroy.io/domain/transitswap.finance/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 98/100 (PhishDestroy scoring — see methodology below) Scam classification: Crypto Drainer ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/91 security vendors flagged this domain AlienVault OTX: 2 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 104.21.23.22 (US, San Jose) ASN: ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US Hosting org: AS16509 Amazon.com, Inc. Registrar: Dynadot Inc Nameservers: ns1.dyna-ns.net, ns2.dyna-ns.net Registered: 2025-12-02 Expires: 2026-12-02 Page title: Web3 Connect Demo ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR1 Expires: 2026-09-16 Status: INVALID chain Fingerprint: 4b079c4a41eab9844ace3bad0287737fa8a5eaeef03529b8f122f8c22274f4c4 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2025-12-02 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-18 21:00:48 UTC (by PhishDestroy tracker) First reported: 2026-06-18 19:02:51 UTC (abuse notice filed) Last verified: 2026-07-03 20:20:36 UTC Neutralised: 2026-06-19 00:04:48 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019edc1a-9c58-714b-afe3-587788763690/ URLQuery: https://urlquery.net/report/a94bc233-2b47-47c0-8bc8-de1e7a3fdd0b Wayback Machine: https://web.archive.org/web/*/transitswap.finance crt.sh CT logs: https://crt.sh/?q=%25.transitswap.finance Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=transitswap.finance AlienVault OTX: https://otx.alienvault.com/indicator/domain/transitswap.finance URLhaus: https://urlhaus.abuse.ch/host/transitswap.finance/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-25 19:25:46 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, transitswap.finance, is actively targeting cryptocurrency users with a crypto wallet drainer phishing scheme. Analysis indicates the site mimics legitimate Web3 connection interfaces, tricking victims into authorizing malicious smart contracts that siphon digital assets from connected wallets. The threat specifically exploits the Web3 Connect Demo page title, suggesting an attempt to deceive users into granting transaction permissions under false pretenses, leading to immediate and irreversible asset loss. Technical evidence supports the malicious classification. The domain was registered on December 02, 2025, through Dynadot Inc, and currently resolves to IP address 104.21.23.22 hosted on Amazon.com, Inc. (AS16509). Despite zero detections on VirusTotal (0/95), the domain appears on one security blocklist (PhishDestroy). The SSL certificate is issued by Let's Encrypt (YR1), a common tactic to lend false legitimacy to phishing infrastructure. The creation date, combined with the lack of historical reputation, aligns with patterns observed in short-lived, high-impact crypto drainer campaigns. Users who have interacted with transitswap.finance should immediately revoke any connected wallet permissions via their wallet's dApp connection manager. All active sessions should be terminated, and a full security audit of the wallet's transaction history is recommended to identify unauthorized transfers. If assets were transferred, report the incident to relevant blockchain explorers and law enforcement cybercrime units. Avoid reusing credentials or wallet addresses associated with this domain, as they may be targeted in follow-up attacks. Monitor for unusual smart contract interactions or pending transaction approvals, which could indicate ongoing compromise. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260618-3932E1 Favicon MD5: b8a0bf372c762e966cc99ede8682bc71 TLS cert SHA-256: 4b079c4a41eab9844ace3bad0287737fa8a5eaeef03529b8f122f8c22274f4c4 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/transitswap.finance/ JSON API: https://api.destroy.tools/v1/check?domain=transitswap.finance Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,411 domains (13,161 alive under monitoring, 160,432 confirmed takedowns/dead). Site: https://phishdestroy.io