# PhishDestroy threat dossier — trzrlogin-auth-cdn-io.typedream.app ================================================================ Fetched: 2026-06-30 18:26:03 UTC Canonical: https://phishdestroy.io/domain/trzrlogin-auth-cdn-io.typedream.app/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 98/100 (PhishDestroy scoring — see methodology below) Scam classification: Credential Phishing Targeted brand: Trezor ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 15/91 security vendors flagged this domain Flagging vendors: ChainPatrol, alphaMountain.ai, BitDefender, CyRadar, ESET, Emsisoft, Forcepoint ThreatSeeker, Fortinet, G-Data, Kaspersky, Lionic, Netcraft, PhishFort, Sophos, Webroot Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 104.21.37.85 (US, San Francisco) ASN: ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US Hosting org: AS13335 Cloudflare, Inc. Registrar: Typedream Nameservers: NS_NOT_FOUND Page title: Trezor @Login: The Official Wallet for Secure Cryptocurrency Management ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-08-26 Status: INVALID chain Fingerprint: 7cbc9d5acaff550ef5d29c76a71bdf4aac8fd42efa8207719f76b60ff6ed4b81 Subject Alternative Names (related infrastructure — often same operator): - typedream.app ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-06-26 10:20:19 UTC (by PhishDestroy tracker) Last verified: 2026-06-30 20:20:36 UTC Neutralised: 2026-06-26 12:01:23 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f0303-0fe2-726d-afe1-a94230f686ce/ Wayback Machine: https://web.archive.org/web/*/trzrlogin-auth-cdn-io.typedream.app crt.sh CT logs: https://crt.sh/?q=%25.trzrlogin-auth-cdn-io.typedream.app Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=trzrlogin-auth-cdn-io.typedream.app AlienVault OTX: https://otx.alienvault.com/indicator/domain/trzrlogin-auth-cdn-io.typedream.app URLhaus: https://urlhaus.abuse.ch/host/trzrlogin-auth-cdn-io.typedream.app/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-26 11:21:01 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, trzrlogin-auth-cdn-io.typedream.app, is actively engaged in credential theft, a form of cyberattack where attackers create fraudulent login pages to harvest usernames, passwords, and other sensitive information. Victims are typically lured through deceptive emails, messages, or advertisements that mimic legitimate services, such as cloud storage providers, financial institutions, or corporate login portals. Once credentials are entered, they are transmitted to attacker-controlled servers, enabling unauthorized access to accounts, data breaches, or further exploitation, such as identity theft or financial fraud. The threat is particularly dangerous for users who reuse passwords across multiple platforms, as compromised credentials can lead to cascading security failures. Analysis indicates this domain is flagged by 7 out of 95 security vendors on VirusTotal, a clear indicator of malicious activity. Infrastructure analysis reveals the domain resolves to the IP address 188.114.96.3, which may be part of a content delivery network (CDN) or proxy service to obscure its true origin. The domain is registered through Typedream, a platform that allows users to create websites with minimal technical expertise, which is frequently abused by threat actors to rapidly deploy phishing infrastructure. While the SSL certificate is issued by Google Trust Services, providing an appearance of legitimacy, this is a common tactic to evade browser warnings and gain user trust. The domain’s structure, including subdomains like 'trzrlogin-auth-cdn-io,' is designed to mimic authentication endpoints, further enhancing its deceptive appearance. If you or someone in your organization has visited this domain or entered credentials, immediate action is required to mitigate risks. First, disconnect the affected device from the network to prevent potential data exfiltration. Change passwords for any accounts accessed from the compromised device, prioritizing email, financial, and administrative accounts. Enable multi-factor authentication (MFA) wherever possible to add an additional layer of security. Monitor accounts for suspicious activity, such as unauthorized logins or transactions, and report any anomalies to the respective service providers. If corporate credentials were exposed, notify your organization’s IT or security team to initiate incident response protocols. Finally, scan the device for malware using updated security tools, as credential theft sites may also distribute malicious payloads. Users should remain vigilant for follow-up attacks, such as targeted phishing emails or social engineering attempts, which may leverage the stolen information. ## EVIDENCE HASHES ---------------------------------------------------------------- TLS cert SHA-256: 7cbc9d5acaff550ef5d29c76a71bdf4aac8fd42efa8207719f76b60ff6ed4b81 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/trzrlogin-auth-cdn-io.typedream.app/ JSON API: https://api.destroy.tools/v1/check?domain=trzrlogin-auth-cdn-io.typedream.app Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 172,893 domains (13,046 alive under monitoring, 159,234 confirmed takedowns/dead). Site: https://phishdestroy.io