# PhishDestroy threat dossier — vantage-tw.com
================================================================

Fetched:   2026-04-30 22:17:20 UTC
Canonical: https://phishdestroy.io/domain/vantage-tw.com/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 87/100 (PhishDestroy scoring — see methodology below)
Scam classification: Investment Scam
Targeted brand: Investment Scam

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      0/91 security vendors flagged this domain
URLQuery:        1 detections

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      104.21.69.221 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     Cloudflare, Inc.
Registrar:       NameSilo, LLC

!!! REGISTRAR INTEGRITY ALERT — NameSilo !!!
NameSilo is a registrar documented by PhishDestroy as (1) publicly lying about
received abuse reports, (2) shielding a $20M+ Monero-theft operation (xmrwallet.com)
for 10 continuous years, and (3) retaliating against PhishDestroy by getting our
X/Twitter account @Phish_Destroy banned after we published the evidence.
Researchers/victims must ALWAYS CC compliance@icann.org on every abuse ticket —
NameSilo has a track record of later claiming reports were never received.
Primary sources:
  https://phishdestroy.io/namesilo-killed-our-twitter
  https://phishdestroy.io/xmrwallet-namesilo-exposed

Nameservers:     ["lloyd.ns.cloudflare.com", "monroe.ns.cloudflare.com"]
Registered:      2026-04-28
Page title:      Likefire: One-Stop Global Investment Platform | Forex | Commodities | Stocks | Indices | Cryptocurrencies | Gold | Oil
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E8
Expires:    2026-07-21
Status:     INVALID chain
Fingerprint: 7663b0e61e030e924c279480f524656109c666fc32dd6e3e8af6e12229aaf590

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-28 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-28 21:03:34 UTC (by PhishDestroy tracker)
First reported:    2026-04-28 18:26:56 UTC (abuse notice filed)
Last verified:     2026-04-30 19:40:09 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019dd540-d509-73f9-b90c-0a2c45da494a/
URLQuery:         https://urlquery.net/report/00d6577c-e192-4c50-b184-eca875ba9a6d
Wayback Machine:  https://web.archive.org/web/*/vantage-tw.com
crt.sh CT logs:   https://crt.sh/?q=%25.vantage-tw.com
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=vantage-tw.com
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/vantage-tw.com
URLhaus:          https://urlhaus.abuse.ch/host/vantage-tw.com/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-28 21:05:53 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies vantage-tw.com as a live credential-harvesting site masquerading as Vantage, a legitimate financial or investment platform. This fraudulent domain imitates official login pages to trick users into entering email-password combinations that are immediately sent to adversary-controlled servers. Victims risk direct financial loss, credential stuffing attacks, and potential follow-on identity theft if they reuse passwords elsewhere.    This domain was flagged after VirusTotal returned zero detections across 95 engines on 12fee5, indicating it evades current detection signatures. The domain was created on April 22, 2026, and is registered through NameSilo, LLC—an ICANN-accredited registrar frequently abused for low-cost, short-lived phishing infrastructure. It resolves to IPv4 address 104.21.69.221 on a shared hosting provider and holds a valid Let’s Encrypt SSL certificate to appear legitimate.    If you visited vantage-tw.com and entered any credentials, immediately change those passwords and enable multi-factor authentication on every account using the same email. Enable login alerts where available and revoke any suspicious third-party app integrations. Scan your device with updated antivirus software and consider a password manager to prevent reuse across sites. Report the incident to your IT department or security team and monitor financial statements closely for signs of fraud.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260428-26E3CF
Favicon MD5:       6cb6eeac9520578105a76ede9377b2fd
TLS cert SHA-256:      7663b0e61e030e924c279480f524656109c666fc32dd6e3e8af6e12229aaf590

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/vantage-tw.com/
JSON API:          https://api.destroy.tools/v1/check?domain=vantage-tw.com
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io