# PhishDestroy threat dossier — web3cashairdrop.xyz ================================================================ Fetched: 2026-06-19 11:59:34 UTC Canonical: https://phishdestroy.io/domain/web3cashairdrop.xyz/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Airdrop Scam Targeted brand: Airdrop Scam ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 3/91 security vendors flagged this domain Flagging vendors: Forcepoint ThreatSeeker, Gridinsoft, SOCRadar AlienVault OTX: 1 pulses (threat-intel feed mentions) Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 76.223.54.146 (US, Seattle) Hosting org: AS16509 Amazon.com, Inc. Registrar: GMO Internet Group, Inc. d/b/a Onamae.com Nameservers: ["ns5.afternic.com", "ns6.afternic.com", "verification-gakbzzzqmt6gkcplw4efpp.ns101.verify.hn"] Registered: 2026-06-12 Expires: 2027-06-12 HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: GoDaddy.com / GoDaddy TLS Intermediate CA DV - R1v1 Expires: 2026-12-28 Status: INVALID chain Fingerprint: 173af44fca92bf2cbf950a2db6982198d87cb734ed47d1ff5be7f14cc37b36cc ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-12 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-14 14:32:59 UTC (by PhishDestroy tracker) Last verified: 2026-06-19 12:20:44 UTC Current status: ACTIVE / observable ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-18 16:38:01 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies web3cashairdrop.xyz as a high-risk domain, specifically engaging in brand impersonation, a type of threat where attackers masquerade as a trusted brand to deceive victims. This type of threat is particularly insidious as it preys on the trust that users have in the legitimate brand, making it more likely for them to divulge sensitive information or perform certain actions that compromise their security. This domain was flagged by 3 out of 95 security vendors on VirusTotal, indicating a significant level of suspicion, and it resolves to the IP address 76.223.54.146. Furthermore, web3cashairdrop.xyz appears on 3 security blocklists, which is a strong indicator of its malicious nature. The domain was registered through GMO Internet Group, Inc. d/b/a Onamae.com and was created on June 12, 2026, with an SSL certificate issued by GoDaddy.com, specifically GoDaddy TLS Intermediate CA DV - R1v1. The fact that it has been active since its creation and is still ongoing suggests a persistent threat. To mitigate the risks associated with brand impersonation scams like web3cashairdrop.xyz, users should be vigilant when interacting with websites, especially those that ask for sensitive information or prompt for actions that could compromise security. It is crucial to verify the authenticity of a website by checking its URL carefully and looking for any signs of impersonation, such as misspellings or slight variations in the domain name. Moreover, keeping software and security solutions up to date can provide an additional layer of protection against such threats. By being cautious and taking proactive measures, individuals can significantly reduce their exposure to brand impersonation scams and protect their digital identities. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 91eb1c5166c050d61d85cd638a56566a TLS cert SHA-256: 173af44fca92bf2cbf950a2db6982198d87cb734ed47d1ff5be7f14cc37b36cc ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/web3cashairdrop.xyz/ JSON API: https://api.destroy.tools/v1/check?domain=web3cashairdrop.xyz Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 166,418 domains (14,392 alive under monitoring, 151,708 confirmed takedowns/dead). Site: https://phishdestroy.io