# PhishDestroy threat dossier — unisatwallet.com ================================================================ Fetched: 2026-07-15 10:56:56 UTC Canonical: https://phishdestroy.io/domain/unisatwallet.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Crypto Drainer ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 3/91 security vendors flagged this domain Flagging vendors: ChainPatrol, alphaMountain.ai, Gridinsoft Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.97.3 (US, San Francisco) ASN: ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US Hosting org: AS13335 Cloudflare, Inc. Registrar: Cloudflare, Inc. Nameservers: gabe.ns.cloudflare.com, paislee.ns.cloudflare.com Registered: 2025-06-03 Expires: 2027-06-03 Page title: Unisat Wallet HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-09-26 Status: INVALID chain Fingerprint: a0ce86f40596d2111ad0cf23383b0689cdb394d62c1d20175e4ebc9c31c8c3e4 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2025-06-03 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-06 14:24:53 UTC (by PhishDestroy tracker) Last verified: 2026-07-15 12:20:44 UTC Neutralised: 2026-07-06 18:16:50 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f3762-36ff-73b3-9d7c-e49e2dd115ad/ Wayback Machine: https://web.archive.org/web/*/unisatwallet.com crt.sh CT logs: https://crt.sh/?q=%25.unisatwallet.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=unisatwallet.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/unisatwallet.com URLhaus: https://urlhaus.abuse.ch/host/unisatwallet.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-06 15:01:11 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, unisatwallet.com, is an active crypto drainer designed to illicitly siphon cryptocurrency assets from victims by impersonating legitimate wallet services. The threat type is explicitly classified as a crypto drainer, a specialized form of phishing that executes unauthorized transactions once wallet credentials are compromised. As of the latest verification, the domain remains active and continues to resolve to its hosting infrastructure. Analysis indicates unisatwallet.com was registered on June 03, 2025, through Cloudflare, Inc. as the registrar. It currently resolves to the IP address 188.114.97.3, a Cloudflare proxy endpoint commonly used to obfuscate backend hosting. VirusTotal detection metrics reveal that 3 out of 95 security vendors have flagged this domain as malicious, a relatively low but non-zero detection rate that suggests either evasion techniques or recent deployment. No additional blocklist entries or trust scores were identified in public threat feeds, though the domain’s infrastructure aligns with known crypto drainer campaigns targeting decentralized finance (DeFi) users. Infrastructure analysis reveals the domain employs Cloudflare’s content delivery network (CDN) to mask its origin server, complicating takedown efforts and attribution. The use of a recently registered domain (under 30 days old at time of reporting) is consistent with phishing campaigns that leverage short-lived infrastructure to evade detection. Organizations and individuals are advised to block this domain at the DNS or network level, particularly in environments where cryptocurrency transactions occur. End-users should verify wallet URLs against official sources and avoid interacting with unsolicited links or pop-ups referencing unisatwallet.com. Security teams are recommended to monitor for connections to 188.114.97.3 and correlate with other indicators of compromise, such as unusual outbound transaction patterns or unauthorized wallet access attempts. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 9be2ab8c9240bffee48b4b2afb9feda2 TLS cert SHA-256: a0ce86f40596d2111ad0cf23383b0689cdb394d62c1d20175e4ebc9c31c8c3e4 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/unisatwallet.com/ JSON API: https://api.destroy.tools/v1/check?domain=unisatwallet.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 179,150 domains (50,754 alive under monitoring, 128,396 confirmed takedowns/dead). Site: https://phishdestroy.io