# PhishDestroy threat dossier — usdtrons.online ================================================================ Fetched: 2026-05-13 16:57:12 UTC Canonical: https://phishdestroy.io/domain/usdtrons.online/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 81/100 (PhishDestroy scoring — see methodology below) Scam classification: Airdrop Scam Targeted brand: Airdrop Scam ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/92 security vendors flagged this domain Flagging vendors: Gridinsoft ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 104.233.162.116 (JP, Tokyo) ASN: AS398993 PEG TECH INC Hosting org: PEG TECH. INC. Registrar: GoDaddy.com, LLC Nameservers: ["ns55.domaincontrol.com", "ns56.domaincontrol.com"] Registered: 2026-05-07 Page title: Crypto Airdrop Anniversary Campaign | U.S. Promotion ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: TrustAsia Technologies, Inc. / LiteSSL RSA CA 2025 Expires: 2026-07-29 Status: INVALID chain Fingerprint: 44b3a65b1156ad0cf2b675f23bca5f6b4422b0bc58dcf6a5f372ef678f690f92 Subject Alternative Names (related infrastructure — often same operator): - www.usdtrons.online ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-07 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-07 09:45:06 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-05-07 06:47:01 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-05-12 01:40:04 UTC Neutralised: 2026-05-12 00:01:13 UTC Current status: taken down (registrar suspended or DNS dead) Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e012c-7daf-77e8-91db-0873598b84db/ Wayback Machine: https://web.archive.org/web/*/usdtrons.online crt.sh CT logs: https://crt.sh/?q=%25.usdtrons.online Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=usdtrons.online AlienVault OTX: https://otx.alienvault.com/indicator/domain/usdtrons.online URLhaus: https://urlhaus.abuse.ch/host/usdtrons.online/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-07 09:47:41 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies usdtrons.online as a recently activated domain designed to mimic legitimate cryptocurrency wallet services, specifically targeting users of USDT (Tether) and related tokens. This site poses as a secure platform for managing digital assets but is engineered to steal login credentials, wallet private keys, or directly siphon deposited cryptocurrency. Victims may be lured via social media, messaging apps, or spoofed emails that falsely claim account suspension, security updates, or promotional giveaways. Once credentials or wallet keys are entered, attackers gain immediate control over victim funds with no recovery options in decentralized finance systems. This domain was flagged as 'generic_phishing' and remains under investigation due to low detection rates despite clear malicious intent. Intelligence shows it resolves to IP address 104.233.162.116 and uses a certificate issued by TrustAsia Technologies, Inc. The site was registered through GoDaddy.com, LLC on April 29, 2026 — a suspiciously recent creation date for a financial platform claiming years of operation. As of the latest scan, VirusTotal reports 0 out of 95 antivirus engines detected it as malicious, highlighting how new and evasive this threat remains. The registrar and SSL issuer are legitimate entities, but the combination of fresh domain age and low detection indicates active evasion of security controls. If you visited usdtrons.online, immediately disconnect from the internet and scan all devices used for cryptocurrency access with updated antivirus software. Do not enter wallet addresses, private keys, seed phrases, or login credentials into any form on the site. If you entered your wallet’s private key or mnemonic phrase, transfer all remaining funds to a new, secure wallet immediately — old funds may already be compromised. Review transaction histories on block explorers like Etherscan or Tronscan for any unauthorized transfers. Report the domain to your local cybercrime unit or platforms like PhishDestroy, and warn others in crypto communities. Consider using hardware wallets and enabling multi-factor authentication for all exchanges and wallet services to reduce future risk. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260507-C0CD1C TLS cert SHA-256: 44b3a65b1156ad0cf2b675f23bca5f6b4422b0bc58dcf6a5f372ef678f690f92 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/usdtrons.online/ JSON API: https://api.destroy.tools/v1/check?domain=usdtrons.online Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 148,974 domains (40,734 alive under monitoring, 107,961 confirmed takedowns/dead). Site: https://phishdestroy.io