# PhishDestroy threat dossier — trezor-suite-help.square.site
================================================================

Fetched:   2026-06-19 16:28:20 UTC
Canonical: https://phishdestroy.io/domain/trezor-suite-help.square.site/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Trezor

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      4/91 security vendors flagged this domain
Public blocklists: listed on 3 independent blocklists

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      74.115.51.5 (US, Oakland)
Hosting org:     AS27647 Weebly, Inc.
Registrar:       MarkMonitor Inc.
Nameservers:     ns-1248.awsdns-28.org, ns-1816.awsdns-35.co.uk, ns-311.awsdns-38.com, ns-810.awsdns-37.net
Registered:      2019-02-05
Expires:         2031-02-05
Page title:      Trezor suite | Trezor suite
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E8
Expires:    2026-08-05
Status:     INVALID chain
Fingerprint: 1b4e29676aba09452fbbb418b4fb2022af0dcbfa3f470c0e661431771ab9665f
Subject Alternative Names (related infrastructure — often same operator):
  - square.site

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2019-02-05 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-06-18 14:21:33 UTC (by PhishDestroy tracker)
Last verified:     2026-06-19 18:22:14 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019edaac-1cc6-74df-ab24-45a153f4b11b/
Wayback Machine:  https://web.archive.org/web/*/trezor-suite-help.square.site
crt.sh CT logs:   https://crt.sh/?q=%25.trezor-suite-help.square.site
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=trezor-suite-help.square.site
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/trezor-suite-help.square.site
URLhaus:          https://urlhaus.abuse.ch/host/trezor-suite-help.square.site/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-06-18 16:32:41 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

This domain poses a significant brand impersonation threat, specifically targeting Trezor users by mimicking the brand's suite, which could lead to severe consequences such as financial loss or identity theft. PhishDestroy identifies trezor-suite-help.square.site as a high-risk domain, registered through MarkMonitor Inc. on February 05, 2019, and currently resolves to IP 74.115.51.5 with a Let's Encrypt SSL certificate, and notably, 4 out of 95 security vendors on VirusTotal have flagged this domain, and it appears on 3 security blocklists.

The domain's creation date and its registration through a reputable registrar may suggest a level of legitimacy, but the accumulation of red flags, including the low VirusTotal score of 4/95 and its appearance on multiple blocklists, indicates a high level of risk. The fact that it has managed to evade detection for so long, being still active, underscores the importance of vigilance when interacting with online services, especially those related to cryptocurrency and financial management.

Users who have visited trezor-suite-help.square.site should immediately take action to protect themselves, including monitoring their accounts for any suspicious activity, changing passwords, and ensuring that all software and security measures are up to date. It is also crucial for users to verify the authenticity of any website or service before providing sensitive information, and to report any instances of brand impersonation to the relevant authorities and the targeted brand, in this case, Trezor, to help prevent further incidents and protect the community.

## EVIDENCE HASHES
----------------------------------------------------------------
Favicon MD5:       d810985ef4dc1c0bd5811e36d13c8ca3
TLS cert SHA-256:      1b4e29676aba09452fbbb418b4fb2022af0dcbfa3f470c0e661431771ab9665f

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/trezor-suite-help.square.site/
JSON API:          https://api.destroy.tools/v1/check?domain=trezor-suite-help.square.site
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 166,461 domains (13,377 alive under monitoring, 152,599 confirmed takedowns/dead). Site: https://phishdestroy.io