# PhishDestroy threat dossier — vote-firelight.finance
================================================================

Fetched:   2026-05-02 04:39:48 UTC
Canonical: https://phishdestroy.io/domain/vote-firelight.finance/

## VERDICT
----------------------------------------------------------------
HIGH THREAT — malicious activity confirmed
Composite threat score: 70/100 (PhishDestroy scoring — see methodology below)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      0/91 security vendors flagged this domain

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      104.21.53.212 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     Cloudflare, Inc.
Registrar:       PDR Ltd. d/b/a PublicDomainRegistry.com
Nameservers:     ["gina.ns.cloudflare.com", "lou.ns.cloudflare.com"]
Registered:      2026-04-30
Expires:         2027-04-30
Page title:      Firelight – The Protection Layer for Digital Assets
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E8
Expires:    2026-07-29
Status:     INVALID chain
Fingerprint: 4869eab053e04d1a3ba71c605016a6c4df40a58b4cc9b492cf5c047bbd988d2d

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-30 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-30 19:38:42 UTC (by PhishDestroy tracker)
Earliest abuse rec: 2026-04-30 16:41:38 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name
Last verified:     2026-05-02 07:32:00 UTC
Current status:    ACTIVE / observable

Note: one or more events above predate the WHOIS creation date. This typically means
the same domain name was previously registered, detected, dropped, and then re-registered
by a new party. PhishDestroy preserves the full historical record for operator-attribution
research even when the underlying infrastructure changes hands.

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019ddf3f-94f0-778e-82e5-cf8f42975298/
URLQuery:         https://urlquery.net/report/aca4d13a-f663-4ca9-996e-5a5376b55d6d
Wayback Machine:  https://web.archive.org/web/*/vote-firelight.finance
crt.sh CT logs:   https://crt.sh/?q=%25.vote-firelight.finance
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=vote-firelight.finance
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/vote-firelight.finance
URLhaus:          https://urlhaus.abuse.ch/host/vote-firelight.finance/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-30 19:39:37 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies vote-firelight.finance as an active cryptocurrency investment scam impersonating FireLight Finance. The domain was registered on April 30, 2026, through PDR Ltd. d/b/a PublicDomainRegistry.com and resolves to IP 104.21.53.212. Despite hosting a fraudulent “FireLight Finance” site, it currently evades detection with 0 detections out of 95 scanners on VirusTotal, indicating a newly deployed threat that is not yet widely recognized.  voting-firelight.finance poses a high risk to cryptocurrency investors by luring victims with fake high-yield investment opportunities under the FireLight Finance brand. The domain leverages a Let's Encrypt SSL certificate to appear legitimate, further deceiving users who may overlook security indicators. The combination of low detection rates (0/95), recent domain creation, and use of a reputable registrar suggests an opportunistic campaign likely targeting users searching for legitimate financial platforms. The threat is active and spreading, with potential to escalate as more victims are compromised.  Users who visited vote-firelight.finance should immediately cease all transactions and revoke any connected cryptocurrency wallet permissions. Scan devices for malware using updated antivirus tools and change passwords on all financial accounts. Report the domain to your browser provider and local cybercrime unit. Block the IP 104.21.53.212 at the network level to prevent further access. Stay vigilant: any unsolicited investment opportunity promising high returns is likely fraudulent—always verify through official channels before engaging.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260430-9D8B34
Favicon MD5:       774908dd96042307639e40a6950e03a0
TLS cert SHA-256:      4869eab053e04d1a3ba71c605016a6c4df40a58b4cc9b492cf5c047bbd988d2d

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/vote-firelight.finance/
JSON API:          https://api.destroy.tools/v1/check?domain=vote-firelight.finance
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io