# PhishDestroy threat dossier — turninginc.com ================================================================ Fetched: 2026-05-06 22:18:39 UTC Canonical: https://phishdestroy.io/domain/turninginc.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 87/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: Binance ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 2/94 security vendors flagged this domain Flagging vendors: ESET, Kaspersky ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 154.88.14.117 (US, Dallas) ASN: AS40065 CNSERVERS LLC Hosting org: CenturyNetworks LTD Registrar: Hefei Juming Network Technology Co., Ltd Nameservers: ["ns1.julydns.com", "ns2.julydns.com"] Registered: 2026-03-28 Page title: 币安App下载 - 官网最新版安卓/iOS安装包 (Binance App Download) HTTP response: 530 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R13 Expires: 2026-06-25 Status: INVALID chain Fingerprint: 4fce3c50b48fddc837aa900d5e6d1b44fe191745c280d02d13d4e87f76fcfe00 Subject Alternative Names (related infrastructure — often same operator): - www.turninginc.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-03-28 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-03-28 10:35:21 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-03-28 07:36:14 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-05-06 23:11:20 UTC Neutralised: 2026-03-29 08:04:06 UTC Current status: taken down (registrar suspended or DNS dead) Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019d335c-b6b9-734e-a0a5-bb9b4f8362d0/ URLQuery: https://urlquery.net/report/8fa7370d-e9d2-4239-8539-8a4d2dd191ec Wayback Machine: https://web.archive.org/web/*/turninginc.com crt.sh CT logs: https://crt.sh/?q=%25.turninginc.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=turninginc.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/turninginc.com URLhaus: https://urlhaus.abuse.ch/host/turninginc.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-03-28 10:36:18 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies turninginc.com as a live crypto drainer posing as a legitimate service to steal cryptocurrency from unwary users. This domain is specifically designed to trick visitors into connecting their digital wallets under false pretenses, allowing threat actors to drain funds directly through smart contract interactions. Security researchers have flagged the site’s deceptive UI and transaction prompts as classic indicators of a drainer operation, often mimicking popular platforms like exchanges or DeFi dashboards to gain user trust. This domain was flagged with zero detections on VirusTotal out of 95 scanners, indicating it has not yet been widely recognized by antivirus engines. It was registered through Hefei Juming Network Technology Co., Ltd. and was created on April 14, 1997 – a suspiciously early registration date that may indicate domain squatting or long-term holding for malicious deployment. The site operates under a valid Let’s Encrypt SSL certificate and resolves to IP 154.88.14.117, which has been linked to multiple low-reputation activities in threat intelligence feeds. If you visited turninginc.com, immediately disconnect your wallet and revoke any unauthorized permissions via your wallet’s connection manager. Do not approve any unexpected transactions or sign messages. Run a full malware scan on your device and consider rotating wallet credentials if exposed. Report the domain to PhishDestroy for investigation and block it in your browser and firewall to prevent repeat exposure. Always verify URLs and use reputable security tools before interacting with crypto-related websites. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260328-7AE2DF Favicon MD5: 43365839589fc348172246e108c1297c TLS cert SHA-256: 4fce3c50b48fddc837aa900d5e6d1b44fe191745c280d02d13d4e87f76fcfe00 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/turninginc.com/ JSON API: https://api.destroy.tools/v1/check?domain=turninginc.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 146,537 domains (59,069 alive under monitoring, 87,185 confirmed takedowns/dead). Site: https://phishdestroy.io