# PhishDestroy threat dossier — xmtradeonline.com ================================================================ Fetched: 2026-06-25 08:50:49 UTC Canonical: https://phishdestroy.io/domain/xmtradeonline.com/ ## VERDICT ---------------------------------------------------------------- HIGH THREAT — malicious activity confirmed Composite threat score: 78/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 12/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, ChainPatrol, alphaMountain.ai, BitDefender, CRDF, CyRadar, Fortinet, G-Data, Kaspersky, Lionic, Netcraft, Sophos URLQuery: 2 detections AlienVault OTX: 1 pulses (threat-intel feed mentions) Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 198.251.89.220 (US, Cheyenne) ASN: ASAS53667 PONYNET - FranTech Solutions, US Hosting org: AS53667 FranTech Solutions Registrar: Dynadot Inc Nameservers: ns27.my-control-panel.com, ns28.my-control-panel.com Registered: 2025-05-09 Expires: 2027-05-09 Page title: XM Trade Online HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: none Status: INVALID chain ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2025-05-09 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-24 18:17:24 UTC (by PhishDestroy tracker) First reported: 2026-06-24 16:24:43 UTC (abuse notice filed) Last verified: 2026-06-25 10:45:19 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019efa6a-1c3f-76fb-9f80-3e9bbc6173eb/ URLQuery: https://urlquery.net/report/e6f73947-d0f1-4a52-a90e-9efc463fcbba Wayback Machine: https://web.archive.org/web/*/xmtradeonline.com crt.sh CT logs: https://crt.sh/?q=%25.xmtradeonline.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=xmtradeonline.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/xmtradeonline.com URLhaus: https://urlhaus.abuse.ch/host/xmtradeonline.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-24 20:27:13 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The domain xmtradeonline.com poses a significant threat as a potential fraudulent trading platform. Based on its name and high-risk indicators, it likely impersonates a legitimate online trading or investment service to deceive users into depositing funds, which may then be stolen. The site presents a risk of financial fraud and credential theft for visitors. Technical analysis reveals that VirusTotal detected this domain as malicious by 13 out of 95 security vendors, including ADMINUSLabs, ChainPatrol, alphaMountain.ai, BitDefender, and CRDF. It appears on 3 blocklists. The domain was registered on 2025-05-09 through Dynadot Inc, with IP address 198.251.89.220. Its nameservers are ns27.my-control-panel.com and ns28.my-control-panel.com. The domain status is ACTIVE. The domain risk score is 85, indicating a high threat level. The site is currently active and hosted on a shared IP. Its recent creation date and high detection rate strongly suggest it is a malicious domain, likely engaged in financial scams. Immediate blocking is recommended. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260624-9DE3BD Favicon MD5: 8a47a934f526ee0143fc97352ff68c28 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/xmtradeonline.com/ JSON API: https://api.destroy.tools/v1/check?domain=xmtradeonline.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 169,803 domains (15,655 alive under monitoring, 153,792 confirmed takedowns/dead). Site: https://phishdestroy.io