# PhishDestroy threat dossier — wag7u.xyz ================================================================ Fetched: 2026-07-08 14:54:37 UTC Canonical: https://phishdestroy.io/domain/wag7u.xyz/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 80/100 (PhishDestroy scoring — see methodology below) Targeted brand: Bridge Scam ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 7/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, Bfore.Ai PreCrime, BitDefender, Forcepoint ThreatSeeker, G-Data, Kaspersky, SOCRadar Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 185.165.169.123 (RO, Bucharest) ASN: AS200651 FlokiNET ehf Hosting org: FlokiNET Romania Registrar: Spaceship, Inc. Nameservers: launch1.spaceship.net, launch2.spaceship.net Registered: 2026-01-13 Expires: 2027-01-13 Page title: Wagyu | Private Cross-Chain Bridge HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YE2 Expires: 2026-09-02 Status: INVALID chain Fingerprint: dfbf0469f74a3e83c91706b5b8f91ae8ba7e096208ca622563fd12fcbefdd63e ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-01-13 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-08 13:59:39 UTC (by PhishDestroy tracker) Last verified: 2026-07-08 16:25:15 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f4198-0720-70b6-afaf-14435f6c2deb/ Wayback Machine: https://web.archive.org/web/*/wag7u.xyz crt.sh CT logs: https://crt.sh/?q=%25.wag7u.xyz Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=wag7u.xyz AlienVault OTX: https://otx.alienvault.com/indicator/domain/wag7u.xyz URLhaus: https://urlhaus.abuse.ch/host/wag7u.xyz/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-08 14:06:59 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, wag7u.xyz, operates as a fraudulent cross-chain bridge platform targeting cryptocurrency users. The site mimics legitimate decentralized finance (DeFi) infrastructure, specifically impersonating a private cross-chain bridge service under the guise of "Wagyu | Private Cross-Chain Bridge." Users who interact with this domain risk unauthorized asset transfers, commonly known as a crypto drainer scam, where funds are irreversibly siphoned from connected wallets. The threat is particularly insidious because it exploits trust in blockchain interoperability solutions, often promoted through social engineering or malicious advertisements. Analysis indicates the domain was registered on January 13, 2026, through Spaceship, Inc., a registrar with a history of hosting high-risk domains. Infrastructure analysis reveals the site resolves to the IP address 185.165.169.123, a host associated with multiple fraudulent schemes. Security vendors on VirusTotal have flagged wag7u.xyz as malicious, with 7 out of 95 engines detecting threats, including indicators of phishing and crypto-related fraud. The SSL certificate, issued by Let's Encrypt, provides basic encryption but does not validate the legitimacy of the service, a common tactic used to create a false sense of security. If you have visited wag7u.xyz or connected a wallet to this site, immediate action is required. Disconnect the wallet from all dApps and revoke any suspicious token approvals using a blockchain explorer or a dedicated revocation tool. Scan the device used to access the site for malware, as crypto drainers often deploy additional payloads to maintain persistence. Monitor wallet activity closely for unauthorized transactions and consider transferring remaining assets to a new, secure wallet. Report the domain to relevant threat intelligence platforms to aid in takedown efforts and warn other potential victims. Users should also verify the authenticity of any DeFi service by cross-referencing official documentation and community channels before interacting with it. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: cd9f7c8720086c3f29ccf3c9a8c8e49d TLS cert SHA-256: dfbf0469f74a3e83c91706b5b8f91ae8ba7e096208ca622563fd12fcbefdd63e ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/wag7u.xyz/ JSON API: https://api.destroy.tools/v1/check?domain=wag7u.xyz Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 176,190 domains (13,334 alive under monitoring, 161,869 confirmed takedowns/dead). Site: https://phishdestroy.io