# PhishDestroy threat dossier — zerionwallet-tracker.web.app ================================================================ Fetched: 2026-07-17 00:07:54 UTC Canonical: https://phishdestroy.io/domain/zerionwallet-tracker.web.app/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 91/100 (PhishDestroy scoring — see methodology below) Scam classification: Crypto Drainer Targeted brand: Zerion ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 8/91 security vendors flagged this domain Flagging vendors: ChainPatrol, BitDefender, CyRadar, Forcepoint ThreatSeeker, Fortinet, G-Data, Kaspersky, Sophos Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 199.36.158.100 (US, Mountain View) ASN: ASAS54113 FASTLY - Fastly, Inc., US Hosting org: AS54113 Fastly, Inc. Registrar: Google LLC Nameservers: NS_NOT_FOUND Registered: 2026-07-02 Page title: Crypto Wallet Tracker & Portfolio Tracking | Zerion HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WR4 Expires: 2026-08-18 Status: INVALID chain Fingerprint: 06cb0a7c412f539ce624bff0f5454f8a4a38c54b5ef8d6f8a7fc761b1b141ace Subject Alternative Names (related infrastructure — often same operator): - web.app ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-07-02 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-02 14:57:44 UTC (by PhishDestroy tracker) Last verified: 2026-07-17 01:30:21 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f22e6-cacb-72f0-9f4a-5f28f8dd795f/ Wayback Machine: https://web.archive.org/web/*/zerionwallet-tracker.web.app crt.sh CT logs: https://crt.sh/?q=%25.zerionwallet-tracker.web.app Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=zerionwallet-tracker.web.app AlienVault OTX: https://otx.alienvault.com/indicator/domain/zerionwallet-tracker.web.app URLhaus: https://urlhaus.abuse.ch/host/zerionwallet-tracker.web.app/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-02 15:00:14 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, zerionwallet-tracker.web.app, is currently under investigation for operating as a crypto drainer. Analysis indicates it impersonates Zerion, a legitimate cryptocurrency wallet tracker and portfolio management platform, likely to deceive users into connecting their wallets. The site employs social engineering tactics, presenting itself as a tool for monitoring crypto assets while executing unauthorized transactions to drain funds from connected wallets. No specific drainer kit has been confirmed at this stage, but the domain’s structure and content align with known crypto drainer campaigns targeting decentralized finance (DeFi) users. Technical indicators reveal the domain has a VirusTotal detection score of 0/95, meaning no security vendors have flagged it as malicious at the time of analysis. It is registered through Google LLC and resolves to the IP address 199.36.158.100. The domain is hosted on Google’s Firebase platform, a common infrastructure for both legitimate and malicious applications. No creation date is publicly available due to Firebase’s domain registration obfuscation. Google Safe Browsing (GSB) currently does not list the domain as unsafe, and no blocklist entries have been recorded across major threat intelligence feeds. The page title, 'Crypto Wallet Tracker & Portfolio Tracking | Zerion,' further reinforces the impersonation attempt. As of the latest assessment, zerionwallet-tracker.web.app remains active and unflagged by most security tools. No takedown requests or sinkholing actions have been observed. Users are advised to exercise extreme caution when interacting with the domain, particularly when prompted to connect a wallet or input seed phrases. Cryptocurrency holders should verify the authenticity of any wallet tracker by cross-referencing official sources and using browser-based security extensions to detect potential threats. Given the domain’s current undetected status, manual verification and avoidance are critical to mitigating risk. [Updates since narrative was generated:] - Public blocklists: now listed on 3 feeds - VirusTotal detections: now 8/91 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- TLS cert SHA-256: 06cb0a7c412f539ce624bff0f5454f8a4a38c54b5ef8d6f8a7fc761b1b141ace ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/zerionwallet-tracker.web.app/ JSON API: https://api.destroy.tools/v1/check?domain=zerionwallet-tracker.web.app Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 179,547 domains (51,012 alive under monitoring, 128,535 confirmed takedowns/dead). Site: https://phishdestroy.io