PD-PYRAMID · 2026 Q2

Threat Death Pyramid

From a single suspicious URL at the tip — through every parser, scraper, ad-monitor, and the AI engine — down to a wide base of vendors, registrars, evidence stores, and the public ledger that records its death.

~30

Sources

50+

Vendors

24h

SLA

12,847

Killed

L1Discovery Networkscrapers · monitors · ad & cert sweeps · 24/7 → find new domains

30+ ParsersCertStream · OpenPhish · URLhaus

poll · 60s1,247/h

hover · live cert example

Ads MonitorGoogle · Bing · DuckDuckGo

SERP sweep184/d

hover · live ad example

SEO ScrapersTop-100 wallet keywords

headless96/d

hover · organic result

Domain Monitordnstwist · 92 brands

permutations412/d

hover · domain twist

Social MentionsYouTube · X · Reddit · Discord

74 channels53/h

hover · live stream

Community Bot@PhishDestroyBot · Telegram

intake28/h

hover · user submission

L2Surfaced URL1 domain · pulled from L1 ↑ · ready for verification

Suspicious URL

~~secure-metamask-login[.]xyz/connect~~

surfaced by Domain Monitor · 04:21 UTC · case #PD-48217

L3AI Verificationmulti-signal · attribution model

L3 · PhishDestroy AI · Live

PhishDestroy AI

Multi-signal verification · false-positive guard · attribution model

Verifying heuristics
Capturing screenshots
Validating metadata

Verdict

Confirmed phishing

94/ 100 confidence

Wallet drainer · MetaMask brand · WHOIS < 7d · cloaked geo-fence

Signals

Heuristics
Screenshot diff
VT consensus
Wallet drainer
WHOIS < 7d
Cloaked geo

L3·5Active Investigationdeobfuscate · honeypot · seed-flood · wallet-trace · evidence-store

Code AnalysisJS deobfuscation · drainer signature

00:12 deobfuscate main.js · 4 layers

00:14 extract drainer.eth contract

00:16 match Inferno Drainer v3.2

signatures12 hits

Seed FloodTelegram drainer-bot · @claim_eth_bot

00:21 tg-flood fake seed × 247

00:23 poison drainer DB · noise 92%

00:25 bot-down operator switched

seeds sent12,418

Wallet Tracedrainer addr · on-chain analytics

00:31 trace 0x7a3...4f9 · 412 ETH

00:33 cluster linked 38 addresses

00:35 flag Tornado Cash hop

cluster38 addr

Evidence CaptureWARC · screenshots · DOM snapshot

00:41 capture WARC · 14.2 MB

00:43 snapshot DOM + 6 viewports

00:45 hash SHA256 · pinned IPFS

artifacts28 files

Evidence VaultPostgres · S3 · Merkle log

00:51 store case-id #PD-48217

00:53 index +ELK · attribution

00:55 commit Merkle root anchored

cases (30d)2,184

L4Global Vendor Sync28 partners · live push · click any logo →

GoogleSafe Browsing

GoogleWeb Risk API

MicrosoftSmartScreen

VirusTotalDetection feed

CloudflareRadar / 1.1.1.1

YandexSafe Browsing

URLScan.ioPublic scan

ESETWebGuard

BitdefenderThreat exchange

NortonSafe Web

SymantecSiteReview

AviraCloud detection

Avast / AVGWeb Shield

KasperskyOpenTIP

Dr.WebOnline scanner

NetcraftTakedown API

PhishTankVerified vote

APWG eCXBulk feed

PhishStatsOpen feed

Phish.ReportHosting abuse

SpamhausDBL feed

PolySwarmMarketplace

CheckPhishBolster scan

QutteraMalware scan

URLquerySandbox

Criminal IPAsset intel

CRDFThreat Center

ScamadviserTrust score

MyWOTWeb of Trust

L5Pressure Channelsabuse · evidence · public · loop

CH 01 · Push

Abuse Notifications

Registrar abuseRFC2142 · DKIM-signed

3 open

Hosting abuseARF + JSON

5 open

ICANN escalationCompliance ticket

Auto

Nameserver alertNS-level relay

2 open

CH 02 · Seal

Forensic Evidence

Evidence packagetar.gz · S3 · WORM

Sealed

PDF reportCourt-ready

Built

ScreenshotsHeadless · 2× DPR

Stored

Metadata logNDJSON · Merkle

Append

CH 03 · Broadcast

Public Channels

GitHubphishdestroy/db

Pushed

Live map/live · SSE

Streamed

Twitter / X@phishdestroy

Posted

Telegramt.me/phishdestroy

Posted

Mastodon@pd@infosec.exchange

Posted

Public APIapi.phishdestroy.io

Live

CH 04 · Loop

Re-detection

+6h retestSandbox replay

Active

+12h retestGeo + UA matrix

Pending

+24h retest2nd-wave abuse

Queued

Attribution graphKit · operator · cluster

Linked

L6Death & Public Recordphishing extinction event

Killed

Domain neutralized

DNS resolved → NXDOMAIN. Hosting suspended by registrar. Wallet flagged across all consumer browsers.

3h 42m

Time-to-kill

Vendors notified

Stolen after kill

Recorded

Public record sealed

Committed to phishdestroy/db. Operator + kit linked to attribution cluster. Pinned in shame leaderboard.

#18472

Case ID

Linked domains

12,847

Total killed

Vendor sync Abuse push Evidence / loop Public broadcast

12,847 killed · 3,124 active · 88 egregious · live