# PhishDestroy threat dossier — tronlink-web3.org ================================================================ Fetched: 2026-04-19 04:16:31 UTC Canonical: https://phishdestroy.io/domain/tronlink-web3.org/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 82/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 7/94 security vendors flagged this domain ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.97.3 Registrar: Unstoppable Domains Inc. Nameservers: evelyn.ns.cloudflare.com, kanye.ns.cloudflare.com Registered: 2026-04-09 Page title: ΤrοnLіnk - Web3 Wallet HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E8 Expires: 2026-07-08 Status: INVALID chain Fingerprint: b8b9376ab9fad0107eee213ce45e824c73dfff2f10a83eb00122fc9e121d45d9 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-09 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-15 14:12:49 UTC (by PhishDestroy tracker) First reported: 2026-04-15 11:19:34 UTC (abuse notice filed) Last verified: 2026-04-19 05:31:38 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019d90d6-1c33-77dc-a427-86be02f2b409/ URLQuery: https://urlquery.net/report/61819dff-d803-461a-a4c3-5714134b0593 Wayback Machine: https://web.archive.org/web/*/tronlink-web3.org crt.sh CT logs: https://crt.sh/?q=%25.tronlink-web3.org Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=tronlink-web3.org AlienVault OTX: https://otx.alienvault.com/indicator/domain/tronlink-web3.org URLhaus: https://urlhaus.abuse.ch/host/tronlink-web3.org/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-15 14:13:17 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] TRONLink-Web3.org is a fraudulent website flagged by PhishDestroy as an active crypto drainer. Its design mimics the legitimate TRONLink Web3 wallet to trick users into connecting their crypto wallets or entering private keys, allowing attackers to drain assets directly from connected wallets. This site specifically targets users seeking Web3 wallet access, exploiting brand trust and urgency to bypass security awareness. Based on real-time telemetry, the domain is currently resolving to IP 188.114.97.3 under a Let's Encrypt SSL certificate, which is commonly used by legitimate services but does not guarantee safety when domain identity is falsified. PhishDestroy identifies this domain through multiple threat intelligence feeds, including automated scanning and behavioral analysis. The domain was registered on April 09, 2026—less than a month ago—through Unstoppable Domains Inc., a blockchain-based domain registrar often exploited for phishing due to relaxed identity verification. Independent scanning via VirusTotal currently shows 0 out of 95 detection engines flagging the domain, highlighting how early-stage threats often evade static detection. Technical indicators include a newly created domain with short operational history, low reputation across DNS and SSL monitoring platforms, and hosting on an IP address associated with other known crypto scam infrastructure. If you have visited tronlink-web3.org, immediately disconnect your wallet from the site and revoke any unnecessary permissions in your wallet settings. Do not enter your seed phrase or private key under any circumstances. Use a hardware wallet for high-value assets or move funds to a secure wallet you trust. Report the incident to your wallet provider and the legitimate TRONLink team via their official channels. Consider running a malware scan on your device if you entered sensitive information. Always verify website URLs manually and use bookmarks for official links to prevent similar attacks in the future. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260415-8B8F77 Favicon MD5: 8fa01f872cd50c6efdfc1a56dfa8b4e7 TLS cert SHA-256: b8b9376ab9fad0107eee213ce45e824c73dfff2f10a83eb00122fc9e121d45d9 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/tronlink-web3.org/ JSON API: https://api.destroy.tools/v1/check?domain=tronlink-web3.org Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io