# PhishDestroy threat dossier — web-git-10-01-tempswapfinalbugbash-uniswap.vercel.app ================================================================ Fetched: 2026-04-28 16:26:40 UTC Canonical: https://phishdestroy.io/domain/web-git-10-01-tempswapfinalbugbash-uniswap.vercel.app/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Targeted brand: Uniswap Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_split) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 15/95 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, CyRadar, ESET, Emsisoft, Fortinet, G-Data, Google Safebrowsing, Kaspersky, Lionic, OpenPhish, Sophos, VIPRE, Webroot Google Safe Browsing: FLAGGED ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 216.198.79.67 (US, Cleveland) ASN: AS16509 Amazon.com, Inc. Hosting org: CYPRESS COMMUNICATIONS, LLC Registrar: Vercel Inc. Nameservers: NS_NOT_FOUND Registered: 2026-04-28 Page title: Uniswap Interface HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WR1 Expires: 2026-07-27 Status: INVALID chain Fingerprint: f832dfb2653761e8b0001dbaf84eab20667c9bfb0520700547d3b3bf548143aa Subject Alternative Names (related infrastructure — often same operator): - vercel.app ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-28 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-28 16:53:51 UTC (by PhishDestroy tracker) Last verified: 2026-04-28 19:20:49 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dd45c-bad2-72bf-8b4c-310478a69c8f/ Wayback Machine: https://web.archive.org/web/*/web-git-10-01-tempswapfinalbugbash-uniswap.vercel.app crt.sh CT logs: https://crt.sh/?q=%25.web-git-10-01-tempswapfinalbugbash-uniswap.vercel.app Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=web-git-10-01-tempswapfinalbugbash-uniswap.vercel.app AlienVault OTX: https://otx.alienvault.com/indicator/domain/web-git-10-01-tempswapfinalbugbash-uniswap.vercel.app URLhaus: https://urlhaus.abuse.ch/host/web-git-10-01-tempswapfinalbugbash-uniswap.vercel.app/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-28 16:57:05 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies the domain web-git-10-01-tempswapfinalbugbash-uniswap.vercel.app as a high-risk brand impersonation threat actively targeting Uniswap users. Detected as a crypto drainer impersonating the legitimate Uniswap platform, this fraudulent site is designed to deceive users into connecting cryptocurrency wallets and authorizing malicious transactions. The domain remains active and has been classified as high-risk due to its direct impersonation of a globally recognized decentralized finance protocol. This domain was flagged by 15 of 95 VirusTotal security vendors and is categorized by Google Safe Browsing under SOCIAL_ENGINEERING. Registered through Vercel Inc., the domain resolves to IP address 216.198.79.67. Its SSL certificate is issued by Google Trust Services, adding false legitimacy to the impersonation. The presence of a TLS certificate does not validate the site’s authenticity—it only confirms encryption in transit. The site's naming pattern (web-git-10-01-tempswapfinalbugbash-) suggests a development or testing artifact possibly leaked or exploited in an open-source project or hackathon-related repository, further increasing the risk of accidental exposure to users unfamiliar with the legitimate Uniswap domains. The threat level is high and the domain remains active, indicating ongoing attempts to deceive users. It is strongly recommended that users avoid interacting with any links or content associated with this domain. Always verify any Uniswap-related link by manually typing the official domain (app.uniswap.org) or using trusted bookmarks. Use PhishDestroy’s real-time domain verification tool to assess this and other suspicious URLs before clicking. Additionally, users are advised to check their wallet transaction history for unauthorized activity and revoke any suspicious smart contract approvals using tools like revoke.cash. Monitor official channels from Uniswap and other reputable security organizations for alerts regarding this or similar impersonation sites. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: d887735262e1941853fc29ae03487bdc TLS cert SHA-256: f832dfb2653761e8b0001dbaf84eab20667c9bfb0520700547d3b3bf548143aa ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/web-git-10-01-tempswapfinalbugbash-uniswap.vercel.app/ JSON API: https://api.destroy.tools/v1/check?domain=web-git-10-01-tempswapfinalbugbash-uniswap.vercel.app Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io