# PhishDestroy threat dossier — xplatform-wallet.com
================================================================

Fetched:   2026-05-08 16:07:37 UTC
Canonical: https://phishdestroy.io/domain/xplatform-wallet.com/

## VERDICT
----------------------------------------------------------------
HIGH THREAT — malicious activity confirmed
Composite threat score: 69/100 (PhishDestroy scoring — see methodology below)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      1/95 security vendors flagged this domain
  Flagging vendors: Forcepoint ThreatSeeker
URLQuery:        3 detections

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      188.114.96.3 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     CloudFlare, Inc.
Registrar:       Hosting Concepts B.V. d/b/a Registrar.eu
Nameservers:     elma.ns.cloudflare.com, sage.ns.cloudflare.com
Registered:      2026-04-23
Page title:      X Token Wallet
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E8
Expires:    2026-07-22
Status:     INVALID chain
Fingerprint: 13869bdc9d0f7ae9a611e8f4ff0279fbdb3da4d1c4792fa5fc59f0000c643c72

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-23 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-05-06 14:06:24 UTC (by PhishDestroy tracker)
First reported:    2026-05-06 11:08:09 UTC (abuse notice filed)
Last verified:     2026-05-08 16:37:34 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019dfcf6-ce1a-705d-9c7c-c2ff2fd3ae40/
URLQuery:         https://urlquery.net/report/e4fd2b6c-face-4267-8f10-9cac5864af53
Wayback Machine:  https://web.archive.org/web/*/xplatform-wallet.com
crt.sh CT logs:   https://crt.sh/?q=%25.xplatform-wallet.com
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=xplatform-wallet.com
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/xplatform-wallet.com
URLhaus:          https://urlhaus.abuse.ch/host/xplatform-wallet.com/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-05-06 14:06:56 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies xplatform-wallet.com as an elevated-risk crypto drainer domain designed to steal cryptocurrency assets from unsuspecting users. This site employs sophisticated techniques to drain wallets during transaction approvals, posing a severe threat to cryptocurrency holders. The domain exhibits multiple red flags that indicate malicious intent rather than legitimate service functionality.

This domain was flagged by PhishDestroy with a crypto drainer threat classification. VirusTotal analysis shows 1 out of 95 security vendors detected this domain as malicious. The domain resolves to IP address 188.114.96.3 and was registered through Hosting Concepts B.V. d/b/a Registrar.eu on April 23, 2026. The SSL certificate from Let's Encrypt provides no security assurance as malicious actors frequently use legitimate certificates to appear trustworthy. The recent domain creation date of April 23, 2026 suggests a quickly established operation, while the low VirusTotal detection rate indicates either new malicious infrastructure or sophisticated evasion techniques.

To protect against crypto drainer threats like xplatform-wallet.com, users must exercise extreme caution when approving cryptocurrency transactions. Never interact with unknown wallet platforms or approve transactions from suspicious websites. Use hardware wallets for all cryptocurrency transactions and verify site legitimacy through official channels. Install cryptocurrency-specific browser extensions that detect and block drainer scripts. Always check transaction approval requests carefully for suspicious permissions or unusual token requests. Consider using transaction simulation tools to preview approval effects before confirming any crypto operations. If exposure occurs, immediately revoke suspicious token approvals and transfer assets to a secure wallet.

[Updates since narrative was generated:]
  - WHOIS creation date: 2026-04-23

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260506-6BA8E4
Favicon MD5:       4e5d8763a43b7eb660feda43ba1a84cf
TLS cert SHA-256:      13869bdc9d0f7ae9a611e8f4ff0279fbdb3da4d1c4792fa5fc59f0000c643c72

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/xplatform-wallet.com/
JSON API:          https://api.destroy.tools/v1/check?domain=xplatform-wallet.com
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 146,051 domains (47,910 alive under monitoring, 97,858 confirmed takedowns/dead). Site: https://phishdestroy.io