# PhishDestroy threat dossier — trustwalletaml.run
================================================================

Fetched:   2026-04-18 19:04:49 UTC
Canonical: https://phishdestroy.io/domain/trustwalletaml.run/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 99/100 (PhishDestroy scoring — see methodology below)
Scam classification: AML Scam
Targeted brand: Trust Wallet

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      4/94 security vendors flagged this domain
URLQuery:        2 detections

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      151.101.2.15
Registrar:       PDR Ltd. d/b/a PublicDomainRegistry.com
Nameservers:     NS_NOT_FOUND
Registered:      2026-04-15
Expires:         2027-03-28
Page title:      AML Trust Wallet
HTTP response:   530

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / R13
Expires:    2026-06-26
Status:     INVALID chain
Fingerprint: e042d3c357252594d527945ed791b6591aad8ba3824ed3d800f1359e659be912

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-15 (per WHOIS — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-15 09:07:33 UTC (by PhishDestroy tracker)
First reported:    2026-04-15 06:09:25 UTC (abuse notice filed)
Last verified:     2026-04-18 21:05:09 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019d8fbf-72a8-72cc-8d0f-6c3ee384b71e/
URLQuery:         https://urlquery.net/report/4c2d1354-6f04-42c7-9834-54c4d403f121
Wayback Machine:  https://web.archive.org/web/*/trustwalletaml.run
crt.sh CT logs:   https://crt.sh/?q=%25.trustwalletaml.run
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=trustwalletaml.run
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/trustwalletaml.run
URLhaus:          https://urlhaus.abuse.ch/host/trustwalletaml.run/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-15 09:07:50 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies trustwalletaml.run as an active crypto drainer domain impersonating Trust Wallet, a leading cryptocurrency wallet brand. This domain was flagged for brand impersonation on March 28, 2026, and has not yet been detected by VirusTotal security engines, showing 0/95 detections as of the latest scan. Resolving to IP 151.101.2.15, it uses a Let's Encrypt SSL certificate to appear legitimate, while being registered through PDR Ltd. d/b/a PublicDomainRegistry.com, a known domain provider frequently exploited by cybercriminals for malicious registrations.  The threat posed by trustwalletaml.run is high-risk due to its specific targeting of Trust Wallet users, aiming to deceive victims into connecting their wallets or entering credentials on a fraudulent interface. Once accessed, the domain is designed to drain cryptocurrency assets directly from connected wallets by exploiting transaction approvals or harvesting private keys. With no detections on VirusTotal, the domain remains unblocked across many security systems, increasing the likelihood of successful compromise for unsuspecting users. The use of a legitimate-looking SSL certificate and a domain name mimicking the official Trust Wallet site (trustwallet.com) further enhances its deceptive appearance.  Users who visited this domain should immediately disconnect their wallets and revoke any connected permissions through their wallet’s security settings. Do not enter any credentials or connect wallets to sites resembling Trust Wallet unless verified through official channels. Report the domain to Trust Wallet’s abuse team and update your system’s blocklists using the IP 151.101.2.15 and domain trustwalletaml.run. Monitor wallet transactions closely and consider transferring assets to a cold wallet if any suspicious activity is detected.

[Updates since narrative was generated:]
  - VirusTotal detections: now 4/94 (narrative was written when count was lower)

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260415-3A5B35
Favicon MD5:       07561ecdba34d25fb47967dc073e74fe
TLS cert SHA-256:      e042d3c357252594d527945ed791b6591aad8ba3824ed3d800f1359e659be912

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/trustwalletaml.run/
JSON API:          https://api.destroy.tools/v1/check?domain=trustwalletaml.run
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io