Frequently Asked Questions

Our pipeline processes thousands of domains daily through 4 phases:

Phase 1: Pre-emptive Discovery & Ingestion

We utilize a distributed network of 30+ proprietary parsers to identify malicious domains at their earliest stage:

• Certificate Transparency (CT) logs — real-time monitoring of new SSL certificates to catch phishing domains within minutes of registration
• DNS monitoring — tracking new domain registrations and suspicious configurations
• Malvertising detection — continuous monitoring of Google Ads, SEO-manipulated search results, and trending social media campaigns on Twitter/X, YouTube, and Telegram
• Typosquatting — leveraging dnstwist and custom heuristics to catch look-alike domains targeting established brands
• Community intelligence — real-time ingestion via our Telegram Bot, email, and partner feeds
• Phishing feed aggregation — integration with 13+ community sources including OpenPhish, PhishTank, URLhaus

Phase 2: Analysis & Scoring

• 95 AV engines via VirusTotal
• WHOIS/DNS enrichment (registrar, nameservers, IP geolocation, country)
• SSL certificate analysis (issuer, SANs, validity dates)
• Screenshot capture and visual content matching
• Phishing kit fingerprinting
• Risk score computation (0-100) from 12+ weighted signals

Phase 3: Global Vendor Reporting

Once confirmed, we submit to 50+ vendors simultaneously:

Plus formal abuse notifications to domain registrars and hosting providers with evidence packages.

Phase 4: Public Transparency

• Real-time commits to the Destroylist repository
• Live monitoring dashboard at phishdestroy.io/live
• Automated alerts on Twitter, Telegram, and Mastodon
• Conditional re-detection: follow-up alerts if threat remains active beyond 24 hours

Every domain receives a risk score from 0 to 100 based on weighted signals:

Signal	Points	Description
Curated blocklist	+40	Present in our primary Destroylist
DNS active	+30	Domain currently resolves via DNS
Community reported	+20	Flagged by community feeds
Multi-source	+10	Confirmed by 2+ independent feeds
Suspicious keywords	+5 each	metamask, wallet, airdrop, connect, claim, etc.
Risky TLD	+5	.xyz, .top, .club, .icu, .buzz, .cfd, etc.

Severity levels:

70-100 CRITICAL 40-69 HIGH 20-39 MEDIUM 1-19 LOW

Additionally, our internal domain reports (at phishdestroy.io/domain) use a separate enriched scoring system that incorporates VirusTotal detections, WHOIS age, SSL patterns, content analysis, brand impersonation distance, and historical registrar abuse rates across 12+ signals.

Most blocklists only list domains. We do end-to-end threat intelligence:

• Pre-emptive detection — we catch domains minutes after registration, before they reach victims
• Deep investigation — we trace crypto on-chain, map infrastructure, decompile phishing kits, and link campaigns to operators
• "Root-level" access — we've obtained access to drainer panels, phishing kit source code, and operator chat logs, giving us unparalleled insight into attacker TTPs
• Active takedown — we don't just flag domains; we file evidence packages with registrars, hosts, and 50+ AV vendors and track each domain until it's dead
• Content verification — our Content-Verified feeds go beyond DNS: we perform actual HTTP requests to verify the phishing page is live, detecting cloaking attempts
• Registrar accountability — we publicly track registrar abuse rates and response times, creating accountability for negligent providers

Content verification means we don't just check if a domain resolves (DNS), but actually visit the page and verify phishing content is present.

This matters because scammers use cloaking: they show fake/blank pages to automated scanners while showing the real phishing page to human victims. A domain NOT appearing in our content-verified list does not mean it's safe — it may simply be cloaked.

Our content-verified feeds:

• Primary Content — curated domains with verified active phishing content (updated every 12h)
• Community Content — aggregated feeds with verified content (updated every 24h)

For maximum protection, use our Primary All or Community General feeds, which include all domains regardless of content verification status.

Our false positive rate is below 0.01%. Every automated detection passes through multiple verification layers before a report is filed. We maintain:

• Allowlist — a manually curated list of known-good domains that are never flagged
• 48-hour appeals — every false positive is reviewed and resolved quickly
• Continuous classifier refinement — we track every appeal outcome and update detection logic
• Multi-source cross-validation — domains must trigger multiple signals before being confirmed

We track all major wallet drainer families and phishing kit types:

• Wallet Connect abuse — fake WalletConnect prompts stealing approvals
• Inferno Drainer — one of the most prolific multi-chain drainers
• Angel Drainer — advanced drainer with NFT support
• Pink Drainer — social engineering + drain combo
• Permit/Approval phishing — ERC-20 token approval exploits (Permit2)
• Seed phrase theft — fake "verify wallet" or "sync wallet" forms
• AML/KYC scams — fake compliance verification pages
• Airdrop scams — fake token claim pages
• Investment scams — fake trading platforms, Ponzi schemes
• Solana Drainer — Solana-specific wallet drain kits

Browse our database by drainer type, scam method, or targeted brand.

The PhishDestroy Threat API is a free, open API providing real-time domain risk scoring across 770,000+ threats. No API key required.

Endpoints:

Method	Endpoint	Description
GET	/v1/check?domain=	Single domain check with risk score & severity
POST	/v1/check/bulk	Bulk check up to 500 domains per request
GET	/v1/search?q=	Search blocklisted domains by keyword
GET	/v1/feed/{list}	Download full feeds (primary, community, active)
GET	/v1/stats	Live statistics & domain counts

Example:

curl "https://api.destroy.tools/v1/check?domain=suspicious-site.xyz"

Response includes: threat (boolean), risk_score (0-100), severity (critical/high/medium/low), lists (which feeds contain the domain), and last_seen timestamp.

We provide 7 distinct data feeds via the Destroylist repository:

Feed	Description	Update
Primary	Curated phishing domains from our parsers	Real-time
Primary Live	Primary domains verified alive via DNS	Every 24h
Primary Content	Primary + verified phishing content via HTTP	Every 12h
Community	Aggregated from 13+ external sources	Every 2h
Community Live	Community domains verified alive via DNS	Every 24h
Community Content	Community + verified phishing content	Every 24h
Allowlist	False positive protection list	Manual

Recommended: Use list.json or active_domains.json for production. Use blocklist.json for maximum coverage.

All feeds available in JSON and TXT format. Root domain lists (no subdomains, hosting providers excluded) also available separately.

Every feed is available in 7 formats for instant integration:

Format	Use Case
TXT	Plain domain list — universal
JSON	Structured data — API integrations, scripts
Hosts	Pi-hole, /etc/hosts, Windows hosts file
AdBlock	uBlock Origin, AdGuard, AdGuard Home
Dnsmasq	Dnsmasq DNS server
Unbound	pfSense, OPNsense firewalls
RPZ	BIND, Knot DNS (Response Policy Zone)

All formats available at: github.com/phishdestroy/destroylist/tree/main/rootlist/formats/

Python:

import requests

r = requests.get(f"https://api.destroy.tools/v1/check?domain={domain}")
data = r.json()
if data["threat"]:
    print(f"BLOCKED: {data['severity']} (score: {data['risk_score']})")

JavaScript:

const r = await fetch(`https://api.destroy.tools/v1/check?domain=${domain}`);
const data = await r.json();
if (data.threat) console.warn("PHISHING:", data.severity, data.risk_score);

Bulk Check (up to 500 domains):

curl -X POST "https://api.destroy.tools/v1/check/bulk" \
  -H "Content-Type: application/json" \
  -d '{"domains":["site1.com","site2.xyz","site3.top"]}'

Simple blocklist check (Bash):

curl -s https://raw.githubusercontent.com/phishdestroy/destroylist/main/list.txt \
  | grep -q "suspicious-domain.com" && echo "BLOCKED"

Root lists contain only root-level domains — no subdomains, and hosting providers (Vercel, Pages.dev, Netlify, etc.) are excluded. This makes them ideal for:

• Firewall rules — block entire domains, not just specific subdomains
• DNS blocking — safe for DNS resolvers without risk of blocking legitimate hosting platforms
• Registrar analysis — clean data for abuse rate calculations

Three variants available:

• All Roots — all confirmed root domains
• Live Only — DNS-verified active roots
• Services Only — hosting platform subdomains separately (Vercel, Pages.dev, Netlify, etc.)

Each domain report is a comprehensive intelligence dossier containing:

• Risk score — 0-100 composite threat rating with severity classification
• VirusTotal results — detections from 95 antivirus engines with per-vendor breakdown
• Screenshot — visual snapshot captured at scan time (75K+ screenshots stored locally)
• WHOIS data — registrar, creation date, registrant info, nameservers
• DNS records — A, MX, NS, TXT with IP geolocation and country flags
• SSL certificate — issuer, validity, Subject Alternative Names (SANs)
• Blocklist status — presence on 11+ major security blocklists
• Scam type — wallet drainer, seed phrase theft, airdrop scam, investment scam, etc.
• Brand targeted — which legitimate brand is being impersonated (350+ tracked brands)
• Related domains — other domains sharing infrastructure, favicon, or phishing kit
• Cloudflare Radar — domain categorization status
• URLQuery scan — additional security analysis

Possible reasons:

• Your domain was previously compromised and used for phishing without your knowledge
• Your domain shares infrastructure (IP, nameservers) with known phishing domains
• An automated classifier flagged a false positive — this occurs in <0.01% of cases
• Someone reported your domain through community channels

Important: PhishDestroy does not block domains directly. We report to AV vendors and registrars who make their own blocking decisions. If your domain was flagged incorrectly, submit an appeal — we respond within 48 hours and add cleared domains to our permanent allowlist.

Data Type	Frequency
New domain detection	Real-time (CT logs, parsers)
VirusTotal scans	Every 12-24 hours
Alive/dead status	Multiple times per day
DNS/WHOIS enrichment	On detection + on change
Screenshots	At first detection + periodic refresh
Blocklist sync	Every 4-6 hours (ETag caching)
API feed sync	Hourly
OG cards generation	On-demand + every 2 hours
Community blocklist	Every 2 hours (13+ sources)

Two ways to appeal:

1. Appeals Form (fastest) — submit your domain with proof of legitimacy
2. GitHub Issue — open an issue with evidence

Process:

• We review within 48 hours (most same-day)
• If cleared, domain is added to our permanent allowlist
• Allowlist is public: allowlist.json
• Changes propagate to our API and database immediately

The entire process is completely free. We never charge for appeals or delistings — never have, never will.

Nothing. Zero. Free. Always.

Any third party claiming they can delist your domain from PhishDestroy for money is running a scam. We have no paid delisting program and never will. Report such services to us.

PhishDestroy is one of many sources. Even after we clear your domain, other systems may still flag it:

• Google Safe Browsing — submit at safebrowsing.google.com
• Antivirus vendors — each maintains independent blocklists; contact each vendor's FP reporting channel
• Browser warnings — may cache old data for 24-48 hours

Check your domain on VirusTotal to see which specific vendors are flagging it, then contact each one individually.

When we file abuse reports, we align with ICANN standards:

• Formal abuse notifications to registrars via WHOIS abuse contacts
• Complete evidence packages — scan results, screenshots, PDF reports with metadata
• ICANN requires registrars to review abuse complaints within 24 hours
• Conditional re-detection — if a domain remains active after 24h, we escalate with follow-up alerts

When a domain receives 10-30+ abuse reports and a registrar still ignores them for months, we document this publicly. The registrar is no longer passive — it effectively provides infrastructure for illegal activity. Our public database creates accountability.

Time is critical. Act immediately:

1. REVOKE token approvals NOW — go to revoke.cash immediately to revoke any pending wallet approvals. This stops ongoing drain.
2. Contact SEAL 911 — emergency crypto incident response by security professionals. Visit phishdestroy.io/critical-action
3. Move remaining funds — transfer all assets from the compromised wallet to a new, clean wallet
4. Report to police — file a cybercrime report with your local police. Get a case number.
5. Report publicly — file on Chainabuse to warn others and create a paper trail
6. Preserve ALL evidence — wallet addresses, transaction IDs, screenshots, chat logs, emails, the phishing URL

DO NOT contact "recovery services" found online. 95%+ are secondary scams targeting victims.

Sometimes, but only if you act fast:

• Token approvals not yet executed: If you only signed a malicious approval, revoking at revoke.cash immediately prevents further losses
• CEX cashouts: If the attacker sends funds to Binance, Coinbase, etc., law enforcement can freeze accounts — but they need your police report
• Bridge pauses: Some cross-chain bridges have paused transactions when fraud was reported quickly

Reality check: Most on-chain crypto theft is irreversible. Prevention is the best defense — use hardware wallets, verify URLs, never share seed phrases.

Red flags:

• URL mismatch — "metamask-login.com" instead of "metamask.io"
• Urgency language — "Act now or lose access", "Your wallet will be locked"
• Seed phrase requests — NO legitimate service will EVER ask for your seed phrase
• Unexpected wallet popups — WalletConnect or MetaMask prompts you didn't initiate
• Too-good-to-be-true — free airdrops, guaranteed returns, "claim your reward"
• Social media ads — phishing heavily uses paid ads on Twitter, Google, and Telegram
• DM/reply scams — "customer support" reaching out to you first

Protection: Always check domains at phishdestroy.io/domain or use our Telegram bot before connecting your wallet. Read our full guide: Crypto Security Essentials

Almost never. 95%+ of "recovery services" are secondary scams targeting people who already lost money.

Red flags:

• They guarantee recovery (impossible to guarantee)
• They require upfront payment
• They found you through social media comments about being scammed
• They claim to be "ethical hackers" who can "reverse transactions"
• They ask for your seed phrase or wallet access

Legitimate help (all free): SEAL 911, local law enforcement, your exchange's support team, Chainabuse for public reporting.

Go to Pi-hole Admin → Settings → Blocklists → paste this URL:

https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/hosts.txt

Save and update gravity. The list auto-updates on your Pi-hole schedule.

uBlock Origin: Settings → Filter lists → Import → paste:

https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/adblock.txt

AdGuard Home: Filters → DNS Blocklists → Add blocklist → paste the same URL.

For Unbound DNS resolver (pfSense/OPNsense):

https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/unbound.conf

For BIND or Knot DNS (RPZ format):

https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/rpz.zone

For Dnsmasq:

https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/dnsmasq.conf

Yes! Here's how:

• Report phishing domains — Telegram bot or abuse@phishdestroy.io
• Integrate our blocklists — add Destroylist to your DNS, firewall, or security tools
• Use our API — build tools, bots, or dashboards using the Threat API
• Submit PRs — detection algorithm improvements, integration tips, fresh intel
• Spread awareness — share our research on social media

We don't accept donations — the best way to support us is by making our data useful.

Our data (MIT license) is used for:

• Network security — firewall rules, DNS blocking, email filtering
• Automation — SIEM/SOC integration, automated incident response
• Threat research — phishing campaign analysis, brand impersonation trends
• ML/AI training — phishing detection model training datasets
• Trend analysis — registrar abuse rates, TLD risk patterns, drainer evolution
• Legal evidence — timestamped domain reports for law enforcement, insurance claims

Historical vault: 500,000+ domains archived over 5+ years. Contact contact@phishdestroy.io for access.