# www.normandiebitcoin.org — SUSPICIOUS > Discovered normandiebitcoin.org impersonating Bitcoin via a recently registered domain (Mar 28, 2026) with 0/95 VirusTotal detections. ## Summary PhishDestroy identifies normandiebitcoin.org as an active brand impersonation domain masquerading as Bitcoin to deceive users. This domain was flagged during routine monitoring due to its misleading naming convention, which leverages the trusted Bitcoin brand to lure victims into fraudulent interactions. The threat actor behind this campaign appears to be testing new infrastructure, as evidenced by the domain’s recent registration date of March 28, 2026. Technical analysis of normandiebitcoin.org reveals concerning indicators that warrant immediate attention from security teams. The domain, registered through Porkbun LLC, exhibits zero detections on VirusTotal out of 95 security vendors, suggesting it remains undetected by most endpoint protections. The domain resolves to IP address 216.198.79.1, which is associated with hosting infrastructure that has not yet been widely blacklisted. Additionally, the domain utilizes a Let’s Encrypt SSL certificate, a tactic commonly employed to enhance legitimacy and bypass browser-based warnings. This combination of recent registration, low detection rates, and trusted certificate issuance creates a deceptive facade that could easily mislead unsuspecting users. Users who have interacted with normandiebitcoin.org should treat this as a high-risk scenario. If credentials, payment details, or personal information were provided, assume compromise and initiate incident response protocols immediately. Reset passwords for any accounts linked to this domain exposure, and monitor financial accounts for unauthorized transactions. Organizations should block the domain at the network perimeter and update firewall rules to prevent outbound connections to 216.198.79.1. Given the domain’s low detection footprint, security teams are advised to treat this as an active threat and escalate for further investigation to prevent potential downstream attacks against employees or customers. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) - Target brand: Bitcoin ## Domain Intelligence - Registered: 2026-03-28 19:47:00 - Registrar: Porkbun LLC - IP: 216.198.79.1 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/c58cddb3-3cf7-4d5f-9c04-b32bea71c3cd - PhishDestroy: https://phishdestroy.io/domain/www.normandiebitcoin.org/ - LLM endpoint: https://phishdestroy.io/domain/www.normandiebitcoin.org/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/www.normandiebitcoin.org/ Last updated: 2026-04-01