# PhishDestroy threat dossier — trustnodes.dev ================================================================ Fetched: 2026-05-01 03:03:27 UTC Canonical: https://phishdestroy.io/domain/trustnodes.dev/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 76/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: Trust Wallet ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/94 security vendors flagged this domain Flagging vendors: alphaMountain.ai ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 145.223.77.151 (US, Boston) ASN: AS47583 Hostinger International Limited Hosting org: HOSTINGER US Registrar: Hosting Concepts B.V. d/b/a Registrar.eu Nameservers: ["ns1.dns-parking.com", "ns2.dns-parking.com"] Registered: 2026-04-17 Expires: 2027-03-05 Page title: Trust Wallet - ваше надежное web3 расширение ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-06-03 Status: INVALID chain Fingerprint: d9cd721c4f9c7ec5c399891ce3dbdbaedd57eecc90da97cb631674bef8bfc1eb Subject Alternative Names (related infrastructure — often same operator): - www.trustnodes.dev ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-17 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-17 07:05:47 UTC (by PhishDestroy tracker) First reported: 2026-04-17 04:07:38 UTC (abuse notice filed) Last verified: 2026-04-25 07:40:50 UTC Neutralised: 2026-04-23 02:14:14 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019d999b-e7e1-771e-bfd3-c38944203a2f/ URLQuery: https://urlquery.net/report/df1884c0-1cb9-4d86-a7f5-5361c800553f Wayback Machine: https://web.archive.org/web/*/trustnodes.dev crt.sh CT logs: https://crt.sh/?q=%25.trustnodes.dev Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=trustnodes.dev AlienVault OTX: https://otx.alienvault.com/indicator/domain/trustnodes.dev URLhaus: https://urlhaus.abuse.ch/host/trustnodes.dev/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-17 07:06:53 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] trustnodes.dev was flagged by PhishDestroy for actively impersonating Trust Wallet, a major crypto wallet brand. This domain aims to trick users into downloading malicious software by presenting itself as the official Trust Wallet web3 extension. The lure relies on a familiar brand name and Russian-language promises of a reliable web3 extension, which should immediately raise red flags for anyone familiar with Trust Wallet’s legitimate channels. This domain was flagged by PhishDestroy under seed bb834e and is currently under investigation. Key indicators include its recent creation date of March 05, 2026, and hosting through Registrar.eu (Hosting Concepts B.V.). The domain currently returns a clean 0/95 detection score on VirusTotal and remains unlisted on major blocklists, though it resolves to IP 145.223.77.151 and uses a Let’s Encrypt SSL certificate. The mismatch between low detection rates and active impersonation activity highlights the evolving nature of these threats, where new domains can evade detection long enough to cause harm. If you or your users visited trustnodes.dev, do not enter any credentials or download files from the site. Disconnect any affected devices from the network, scan for malware, and report the domain to your security team or through PhishDestroy’s portal. Always verify URLs against official sources and avoid downloading extensions from third-party domains. Monitor accounts for unauthorized transactions and force-rotate wallet credentials as a precaution. [Updates since narrative was generated:] - VirusTotal detections: now 1/94 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260417-3D0B14 Favicon MD5: e14aa1e20c3738eb466b325bcd95be02 TLS cert SHA-256: d9cd721c4f9c7ec5c399891ce3dbdbaedd57eecc90da97cb631674bef8bfc1eb ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/trustnodes.dev/ JSON API: https://api.destroy.tools/v1/check?domain=trustnodes.dev Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io