# PhishDestroy threat dossier — zhongchinling.com
================================================================

Fetched:   2026-06-06 19:12:53 UTC
Canonical: https://phishdestroy.io/domain/zhongchinling.com/

## VERDICT
----------------------------------------------------------------
TAKEN DOWN (neutralised)
Composite threat score: 83/100 (PhishDestroy scoring — see methodology below)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      2/91 security vendors flagged this domain
Public blocklists: listed on 1 independent blocklist

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      2.57.241.243 (SG, Singapore)
ASN:             AS43180 Trunk Networks LTD
Hosting org:     Sollutium SP Z O O
Registrar:       Fewmoretaps OU d/b/a Trustname.com

!!! REGISTRAR INTEGRITY ALERT — Trustname / Fewmoretaps OU !!!
Trustname (IANA #4318) is a shell company declaring EUR 120 annual revenue, 1
employee, negative equity, Belarusian ownership. Explicitly advertises itself as
'bulletproof' in its DNS TXT records. Primary source:
  https://phishdestroy.io/trustname-bulletproof-exposed

Nameservers:     ["ares.trustname.com", "zeus.trustname.com"]
Registered:      2026-04-28
Page title:      zhongchinling.com
HTTP response:   525

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     none
Status:     INVALID chain

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: CLOSED — no report required.
This domain was neutralised before the abuse-report cycle could be dispatched — either
the hosting provider / registrar suspended it on their own, the DNS went dead, or the
operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file
for audit but no formal notice was sent.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-28 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-28 18:53:55 UTC (by PhishDestroy tracker)
First reported:    2026-04-28 16:08:39 UTC (abuse notice filed)
Last verified:     2026-06-06 21:02:02 UTC
Neutralised:       2026-06-06 17:33:52 UTC
Current status:    taken down (registrar suspended or DNS dead)

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019dd4c9-e436-741b-b06e-05914570c404/
URLQuery:         https://urlquery.net/report/124e7599-7f7d-4183-b34b-e7a056093258
Wayback Machine:  https://web.archive.org/web/*/zhongchinling.com
crt.sh CT logs:   https://crt.sh/?q=%25.zhongchinling.com
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=zhongchinling.com
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/zhongchinling.com
URLhaus:          https://urlhaus.abuse.ch/host/zhongchinling.com/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-28 18:56:36 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy's latest threat advisory highlights zhongchinling.com as an active crypto drainer domain under investigation. This domain was registered through Fewmoretaps OU d/b/a Trustname.com and went live on March 01, 2026. Historical intelligence reveals a suspicious infrastructure footprint, with the domain resolving to IP address 2.57.241.243. Despite its recent deployment, VirusTotal currently reports zero detections across 95 security engines, indicating a stealthy operation likely targeting cryptocurrency users through fraudulent transaction interfaces or wallet connection prompts. The threat actor leverages a newly registered domain to evade traditional blocklists, exploiting the trust gap before security vendors catch up.  Technical indicators reinforce the high-risk nature of this campaign. The domain's registration details—processed via a lesser-known registrar with opaque ownership—suggest intentional anonymization to prolong operational longevity. The creation timestamp (March 01, 2026) implies a forward-leaning attack strategy, possibly timed to coincide with market volatility or major events. With no antivirus coverage as of this advisory, the risk of successful compromise remains elevated until broader detection coverage is achieved. Users interacting with this domain risk unauthorized cryptocurrency transfers or credential harvesting via spoofed interfaces mimicking legitimate platforms.  For users who may have visited zhongchinling.com, immediate action is required to mitigate exposure. Disconnect any active wallet connections or browser sessions to the site, and revoke any recently approved permissions through your wallet’s interface. If cryptocurrency was transferred or login credentials were entered, contact your wallet provider or exchange support immediately to assess potential losses or account takeovers. Additionally, report the domain to your organization’s security team or through platforms like PhishDestroy to aid in rapid takedown efforts. Regularly monitor transaction histories and enable multi-factor authentication wherever possible to reduce future attack surfaces.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260428-AA69F6
Favicon MD5:       90229c0feb7d2ef63087d0f5ca245e90

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/zhongchinling.com/
JSON API:          https://api.destroy.tools/v1/check?domain=zhongchinling.com
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 157,473 domains (42,701 alive under monitoring, 113,950 confirmed takedowns/dead). Site: https://phishdestroy.io