# PhishDestroy threat dossier — zokups.com
================================================================

Fetched:   2026-04-21 19:56:29 UTC
Canonical: https://phishdestroy.io/domain/zokups.com/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 87/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Crypto Casino / Gambling

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      0/95 security vendors flagged this domain

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      104.21.94.222 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     Cloudflare, Inc.
Registrar:       Fewmoretaps OU d/b/a Trustname.com

!!! REGISTRAR INTEGRITY ALERT — Trustname / Fewmoretaps OU !!!
Trustname (IANA #4318) is a shell company declaring EUR 120 annual revenue, 1
employee, negative equity, Belarusian ownership. Explicitly advertises itself as
'bulletproof' in its DNS TXT records. Primary source:
  https://phishdestroy.io/trustname-bulletproof-exposed

Nameservers:     melina.ns.cloudflare.com, pete.ns.cloudflare.com
Registered:      2026-04-14
Page title:      Zokups: Elon Musk’s Official Crypto Casino Powered by Blockchain
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E7
Expires:    2026-07-14
Status:     INVALID chain
Fingerprint: c5cd77c7e5f1c71ed6a2394e1775f26ec613d2d86c63d508a0a5434133832aaa

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-14 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-21 12:57:01 UTC (by PhishDestroy tracker)
First reported:    2026-04-21 10:01:31 UTC (abuse notice filed)
Last verified:     2026-04-21 20:15:35 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019daf76-8fb9-718a-947c-2c47a1abb123/
URLQuery:         https://urlquery.net/report/88d9651c-d445-4958-8a4b-bf90e5c765ad
Wayback Machine:  https://web.archive.org/web/*/zokups.com
crt.sh CT logs:   https://crt.sh/?q=%25.zokups.com
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=zokups.com
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/zokups.com
URLhaus:          https://urlhaus.abuse.ch/host/zokups.com/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-21 12:58:40 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies zokups.com as an active crypto drainer scam leveraging brand impersonation of Elon Musk to deceive users into connecting crypto wallets under the guise of a blockchain-powered casino platform. The page title explicitly references 'Elon Musk’s Official Crypto Casino Powered by Blockchain,' indicating a deliberate attempt to exploit trust in high-profile figures within the cryptocurrency ecosystem. While no specific drainer kit has been publicly documented for this domain, the presence of a fraudulent casino interface strongly suggests the deployment of a crypto-draining mechanism designed to siphon digital assets upon wallet connection. This tactic aligns with recent trends in crypto scams where threat actors leverage social engineering and celebrity impersonation to maximize victim engagement and financial yield.  This domain resolves to IP address 104.21.94.222 and was registered on April 14, 2026, through the registrar Fewmoretaps OU d/b/a Trustname.com. Notably, the domain utilizes a Let's Encrypt SSL certificate, which may be used to enhance perceived legitimacy. As of the latest scan, VirusTotal reports 0 detections out of 95 engines, indicating it remains undetected by most antivirus and security platforms. The domain has not been flagged in Google Safe Browsing (GSB) and shows no presence on major threat intelligence blocklists, highlighting a window of opportunity for propagation before widespread recognition.  Current status indicates the domain remains active and poses an elevated risk due to its undetected status and sophisticated branding. Immediate defensive actions include adding zokups.com and its resolving IP to organizational blocklists, monitoring for outbound connections, and updating user awareness training to emphasize skepticism toward unsolicited crypto investment opportunities tied to public figures. While the immediate risk is classified as 'under_investigation,' the lack of detections and recent registration date suggest this threat may escalate rapidly. Organizations are advised to treat this domain with high suspicion and implement proactive blocking measures to prevent potential financial loss.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260421-09AE8E
Favicon MD5:       3dc859009fc95e2fe4fb64e9e5df964c
TLS cert SHA-256:      c5cd77c7e5f1c71ed6a2394e1775f26ec613d2d86c63d508a0a5434133832aaa

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/zokups.com/
JSON API:          https://api.destroy.tools/v1/check?domain=zokups.com
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io