# PhishDestroy threat dossier — tronilnk.com.cn ================================================================ Fetched: 2026-05-07 13:36:59 UTC Canonical: https://phishdestroy.io/domain/tronilnk.com.cn/ ## VERDICT ---------------------------------------------------------------- HIGH THREAT — malicious activity confirmed Composite threat score: 74/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/95 security vendors flagged this domain Flagging vendors: Seclookup ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 34.228.224.102 (US, Ashburn) ASN: AS14618 Amazon.com, Inc. Hosting org: AWS EC2 (us-east-1) Registrar: 浙江贰贰网络有限公司 Nameservers: ns1.22.cn, ns2.22.cn Registered: 2026-05-04 Page title: TronLink | 波场钱包 | 超过 10,000,000 全球用户的可靠选择 – TronLinké’±åŒ HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R13 Expires: 2026-08-02 Status: INVALID chain Fingerprint: 33f1622c981e6e5528d2941d2c0524c4378c25b4d291cbd9b33efd26fbb476a7 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-04 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-07 09:37:09 UTC (by PhishDestroy tracker) First reported: 2026-05-07 06:37:56 UTC (abuse notice filed) Last verified: 2026-05-07 14:00:39 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e0126-0c3b-719d-a8db-8828df081a02/ Wayback Machine: https://web.archive.org/web/*/tronilnk.com.cn crt.sh CT logs: https://crt.sh/?q=%25.tronilnk.com.cn Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=tronilnk.com.cn AlienVault OTX: https://otx.alienvault.com/indicator/domain/tronilnk.com.cn URLhaus: https://urlhaus.abuse.ch/host/tronilnk.com.cn/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-07 09:38:43 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies tronilnk.com.cn as a malicious domain engineered for credential theft and cryptocurrency draining operations. The site masquerades as an official Tron Network portal, luring users into entering wallet credentials or connecting compromised tokens to drain assets. Registration occurred on May 04, 2026, through 浙江贰贰网络有限公司, with resolution to IP 34.228.224.102. The domain leverages a Let’s Encrypt SSL certificate to appear legitimate, a common tactic to bypass browser security warnings and build user trust. Only 1 out of 95 VirusTotal security vendors currently flags this domain, underscoring the stealth and recency of this campaign. Technical indicators reveal a high-risk profile: the domain’s recent creation date suggests a fast-moving threat actor capitalizing on unregistered or lapsed branding opportunities. The registrar, 浙江贰贰网络有限公司, is not known for legitimate cryptocurrency services, and its association with this domain raises further suspicion. The IP address 34.228.224.102 has been linked to multiple low-reputation domains and may be part of a bulletproof hosting infrastructure designed to evade takedowns. Given the crypto drainer functionality, users who interact with this domain risk immediate and irreversible financial loss. If exposure is suspected, users must disconnect any connected wallets immediately using tools like WalletConnect’s disconnect feature. Revoke any token approvals via platforms such as Etherscan or TronScan, and transfer remaining assets to a cold wallet. Report the domain to your organization’s SOC or to PhishDestroy for inclusion in threat feeds. Monitor wallet activity for unauthorized transactions and consider rotating private keys if interacting with this domain. Proactive blocking at the network and DNS level is strongly recommended to prevent further compromise. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260507-C25419 Favicon MD5: e1dd02b0b438538ba47084ce977a994d TLS cert SHA-256: 33f1622c981e6e5528d2941d2c0524c4378c25b4d291cbd9b33efd26fbb476a7 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/tronilnk.com.cn/ JSON API: https://api.destroy.tools/v1/check?domain=tronilnk.com.cn Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 146,920 domains (52,558 alive under monitoring, 94,028 confirmed takedowns/dead). Site: https://phishdestroy.io