# PhishDestroy threat dossier — wealthavenue.xyz ================================================================ Fetched: 2026-07-14 04:57:55 UTC Canonical: https://phishdestroy.io/domain/wealthavenue.xyz/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Brand Impersonation Targeted brand: Aave ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 9/91 security vendors flagged this domain Flagging vendors: CRDF, Netcraft URLQuery: 2 detections Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 62.72.50.187 (US, Phoenix) ASN: AS47583 Hostinger International Limited Hosting org: Hostinger International Limited Registrar: HOSTINGER operations, UAB Nameservers: cosmos.dns-parking.com, nova.dns-parking.com Registered: 2026-06-23 Expires: 2027-06-23 Page title: wealthavenue.xyz HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YE2 Expires: 2026-09-21 Status: INVALID chain Fingerprint: 38f95c7a1f34d5682a03ae9aa3b298b864fcbcf649e557181eb2c671464ad5ee Subject Alternative Names (related infrastructure — often same operator): - www.wealthavenue.xyz ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-23 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-10 17:07:19 UTC (by PhishDestroy tracker) First reported: 2026-07-12 22:16:00 UTC (abuse notice filed) Last verified: 2026-07-14 04:20:38 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f4c8f-e0bb-747c-83b6-b8ed3c324e6b/ URLQuery: https://urlquery.net/report/2c4d650a-093c-441f-872a-5e50f0f07103 Wayback Machine: https://web.archive.org/web/*/wealthavenue.xyz crt.sh CT logs: https://crt.sh/?q=%25.wealthavenue.xyz Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=wealthavenue.xyz AlienVault OTX: https://otx.alienvault.com/indicator/domain/wealthavenue.xyz URLhaus: https://urlhaus.abuse.ch/host/wealthavenue.xyz/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-10 17:26:13 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain is flagged as a high-risk brand impersonation site targeting users of the Aave decentralized finance protocol. Analysis indicates wealthavenue.xyz mimics legitimate Aave interfaces to deceive visitors into connecting cryptocurrency wallets or entering sensitive credentials, potentially leading to unauthorized fund transfers or account takeovers. The site presents itself as an official Aave portal, exploiting the platform's reputation to gain user trust. Infrastructure analysis reveals multiple technical indicators supporting this assessment. The domain was registered on June 23, 2026, through HOSTINGER operations, UAB, with an unusually future creation date suggesting potential domain abuse patterns. It currently resolves to IP address 62.72.50.187 and uses a Let's Encrypt SSL certificate, which while providing encryption does not validate legitimacy. VirusTotal detection shows 2 out of 95 security vendors have flagged wealthavenue.xyz as malicious, a low but notable detection rate that may increase as more vendors update signatures. If you visited wealthavenue.xyz or interacted with its content, immediate action is required. Disconnect any connected wallets from the site and revoke all associated smart contract approvals using a blockchain explorer or dedicated revocation tool. Scan all devices used to access the domain for malware, focusing on browser extensions and wallet software. Change passwords for any accounts accessed from the same device, particularly cryptocurrency exchange and DeFi platform credentials. Monitor connected wallets for unauthorized transactions and consider moving funds to a new wallet if any suspicious activity is detected. Report the domain to relevant security teams, including Aave's official reporting channels, to assist in takedown efforts. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260712-00C3CC Favicon MD5: b203affb54495a69ae4c169cf3f51aca TLS cert SHA-256: 38f95c7a1f34d5682a03ae9aa3b298b864fcbcf649e557181eb2c671464ad5ee ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/wealthavenue.xyz/ JSON API: https://api.destroy.tools/v1/check?domain=wealthavenue.xyz Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,335 domains (50,012 alive under monitoring, 128,323 confirmed takedowns/dead). Site: https://phishdestroy.io