# PhishDestroy threat dossier — wasabicoin.lol
================================================================

Fetched:   2026-04-18 17:28:33 UTC
Canonical: https://phishdestroy.io/domain/wasabicoin.lol/

## VERDICT
----------------------------------------------------------------
ACTIVE THREAT — multiple warning signs
Composite threat score: 55/100 (PhishDestroy scoring — see methodology below)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      0/95 security vendors flagged this domain

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      172.67.200.119
Registrar:       Global Domain Group LLC
Nameservers:     eugene.ns.cloudflare.com, keira.ns.cloudflare.com
Registered:      2026-04-17
Page title:      Wasabi Coin

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E7
Expires:    2026-07-16
Status:     INVALID chain
Fingerprint: 4f7c86ee57031302986a250f1f674a9c920a2327b333678ec2f697887f0b5dd9

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-17 (per WHOIS — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-18 15:45:36 UTC (by PhishDestroy tracker)
First reported:    2026-04-18 12:51:58 UTC (abuse notice filed)
Last verified:     2026-04-18 19:50:06 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019da09e-0e4e-7017-9564-c5b5c9309a94/
URLQuery:         https://urlquery.net/report/9e949932-54bf-4941-a188-6cf965bb4406
Wayback Machine:  https://web.archive.org/web/*/wasabicoin.lol
crt.sh CT logs:   https://crt.sh/?q=%25.wasabicoin.lol
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=wasabicoin.lol
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/wasabicoin.lol
URLhaus:          https://urlhaus.abuse.ch/host/wasabicoin.lol/

## ANALYST NARRATIVE
----------------------------------------------------------------
A recently registered domain called wasabicoin.lol has been identified as hosting a fake Wasabi Coin cryptocurrency wallet, designed to trick users into revealing sensitive credentials or transferring funds to attacker-controlled addresses. This site mimics legitimate Wasabi Coin services to steal digital assets or harvest login details through fraudulent login forms. Visitors should avoid interacting with any prompts for private keys, seed phrases, or wallet passwords. The page falsely presents itself as a Wasabi Coin service while potentially logging input or redirecting users to malware downloads. Exercising caution and verifying URLs through official channels remains essential before entering any information.

PhishDestroy identifies this threat based on concrete evidence including the domain's April 17, 2026 creation date, registration through Global Domain Group LLC, and current status still active. VirusTotal currently shows 0 detections out of 95 scans, indicating it has evaded automated detection despite its malicious intent. The domain resolves to IP address 172.67.200.119 and uses a Let’s Encrypt SSL certificate to appear legitimate. These indicators suggest active deployment with low detection coverage, increasing risk to uninformed users. The presence of such a domain highlights ongoing campaigns targeting cryptocurrency users who may not verify domain authenticity.

If you or someone you know visited wasabicoin.lol and entered any wallet information, private keys, seed phrases, or passwords, cease all further interaction with the site immediately. Disconnect from the internet to prevent potential remote access, then scan your device using updated antivirus software. Revoke any exposed API keys or wallet passwords through official Wasabi Coin support channels and consider transferring remaining funds to a newly generated, secure wallet. Enable hardware wallet authentication, multi-factor authentication on exchanges, and verify all URLs via official social media or verified announcements before proceeding with cryptocurrency transactions.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260418-769537
TLS cert SHA-256:      4f7c86ee57031302986a250f1f674a9c920a2327b333678ec2f697887f0b5dd9

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/wasabicoin.lol/
JSON API:          https://api.destroy.tools/v1/check?domain=wasabicoin.lol
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io