1Hosts icon indicating copy to clipboard operation
1Hosts copied to clipboard
verified publisher icon badmojr

[False Negative]: add 7 phishing domains (app-trust[.]co[.]com, trastwallet[.]co[.]com, ...)

Open ninjacatcher opened this issue 3 weeks ago • 0 comments

Lists in use

  • [x] Lite
  • [x] Pro
  • [x] Xtra

Client

NONE

Domains

app-trust.co.com
trastwallet.co.com
trustwallett.co.com
en-trust.co.com
trustwallet-app.io
trustwallet-com.to
trustwallet-pc.to

Details

Phishing Attack Details

These domains are part of a phishing campaign targeting cryptocurrency companies and cryptocurrency holders/investors. Attackers may use fake login pages, fake Web3 wallet connection prompts, fake cryptocurrency exchange/swap interfaces, or modified/malicious software to steal cryptocurrency seed phrases/keys.

Technical Details

  • Cloaked. This means: if a request does not meet certain internal rules of the attacker, the request may be redirected to a non-existent subdomain "www.www.", a legitimate website, or display various HTTP errors such as 403, 404, 502, etc., SSL certificate errors, infinite loading, or a fake Cloudflare (or other service) CAPTCHA, or show content distinguishable from the phishing page.

Detections & Targeted Brands

  • app-trust.co.com targets Trust Wallet (trustwallet.com)
    • VirusTotal: 0 detections - https://www.virustotal.com/gui/domain/app-trust.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=app-trust.co.com
    • Listed on APVA - https://api.antiphish.org/v1/lookup?host=app-trust.co.com
  • trastwallet.co.com targets Trust Wallet (trustwallet.com)
    • VirusTotal: 7 detections - https://www.virustotal.com/gui/domain/trastwallet.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=trastwallet.co.com
    • Listed on APVA - https://api.antiphish.org/v1/lookup?host=trastwallet.co.com
  • trustwallett.co.com targets Trust Wallet (trustwallet.com)
    • VirusTotal: 8 detections - https://www.virustotal.com/gui/domain/trustwallett.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=trustwallett.co.com
  • en-trust.co.com targets Trust Wallet (trustwallet.com)
    • VirusTotal: 0 detections - https://www.virustotal.com/gui/domain/en-trust.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=en-trust.co.com
    • Listed on APVA - https://api.antiphish.org/v1/lookup?host=en-trust.co.com
  • trustwallet-app.io targets Trust Wallet (trustwallet.com)
    • VirusTotal: 3 detections - https://www.virustotal.com/gui/domain/trustwallet-app.io/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=trustwallet-app.io
  • trustwallet-com.to targets Trust Wallet (trustwallet.com)
    • VirusTotal: 4 detections - https://www.virustotal.com/gui/domain/trustwallet-com.to/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=trustwallet-com.to
  • trustwallet-pc.to targets Trust Wallet (trustwallet.com)
    • VirusTotal: 2 detections - https://www.virustotal.com/gui/domain/trustwallet-pc.to/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=trustwallet-pc.to

Diagrams

Phishing Campaign Mindmap Overview 
%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#f97316', 'primaryTextColor': '#ffffff', 'primaryBorderColor': '#ea580c', 'lineColor': '#fb923c', 'secondaryColor': '#fed7aa', 'tertiaryColor': '#fff7ed'}}}%%
mindmap
    root((Phishing Campaign<br/>7 domains))
        ))TARGETS((
            ["Trust Wallet"]
                (app-trust.co.com)
                (trastwallet.co.com)
                (trustwallett.co.com)
                (en-trust.co.com)
                (trustwallet-app.io)
                (trustwallet-com.to)
                (trustwallet-pc.to)
        ))INFRASTRUCTURE((
            {{"AS213021 Prime"}}
                80.64.19.62
        ))REGISTRARS((
            ("NICENIC INTERNATIONAL GROUP CO., LIMITED")
            ("Hosting Concepts B.V. d/b/a Registrar.eu")
Phishing Campaign Full Overview (v1) 
%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#6366f1', 'primaryTextColor': '#ffffff', 'primaryBorderColor': '#4f46e5', 'lineColor': '#a5b4fc', 'secondaryColor': '#e0e7ff', 'tertiaryColor': '#eef2ff'}}}%%
flowchart LR
    subgraph BRANDS["TARGET BRANDS"]
        direction TB
        B1["Trust Wallet"]
    end

    subgraph DOMAINS["PHISHING DOMAINS"]
        direction TB
        D1([app-trust.co.com])
        D2([trastwallet.co.com])
        D3([trustwallett.co.com])
        D4([en-trust.co.com])
        D5([trustwallet-app.io])
        D6([trustwallet-com.to])
        D7([trustwallet-pc.to])
    end

    subgraph SPACER1[" "]
        direction TB
        S1[ ]
        S2[ ]
    end

    subgraph HOSTING["HOSTING INFRASTRUCTURE"]
        direction TB

        subgraph CF["AS213021 Prime"]
            IP1{{80.64.19.62}}
        end
    end

    subgraph SPACER2[" "]
        direction TB
        S3[ ]
        S4[ ]
    end

    subgraph REGISTRARS["REGISTRARS"]
        direction TB
        R1[("NICENIC INTERNATIONAL GROUP CO., LIMITED")]
        R2[("Hosting Concepts B.V. d/b/a Registrar.eu")]
    end

    B1 -.-> D1
    B1 -.-> D2
    B1 -.-> D3
    B1 -.-> D4
    B1 -.-> D5
    B1 -.-> D6
    B1 -.-> D7

    D1 --> S1
    S1 --> IP1

    D2 --> IP1
    D3 --> IP1
    D4 --> IP1
    D5 --> IP1
    D6 --> IP1
    D7 --> IP1

    IP1 --> S3
    S3 --> R1

    D5 --- R2
    D6 --- R1
    D7 --- R1

    classDef brandStyle fill:#dc2626,stroke:#991b1b,stroke-width:2px,color:#fff
    classDef domainStyle fill:#7c3aed,stroke:#5b21b6,stroke-width:2px,color:#fff
    classDef ipStyle fill:#0891b2,stroke:#0e7490,stroke-width:2px,color:#fff
    classDef registrarStyle fill:#d97706,stroke:#b45309,stroke-width:2px,color:#fff
    classDef invisible fill:none,stroke:none,color:transparent
    classDef invisibleSubgraph fill:none,stroke:none
    class B1 brandStyle
    class D1,D2,D3,D4,D5,D6,D7 domainStyle
    class IP1 ipStyle
    class R1,R2 registrarStyle
    class S1,S2,S3,S4 invisible
    class SPACER1,SPACER2 invisibleSubgraph

    linkStyle 7,8,15,16 stroke:none
Phishing Campaign Registrars Pie Chart 
%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#6366f1', 'pieStrokeColor': '#1e1b4b', 'pieStrokeWidth': '2px', 'pieSectionTextColor': '#ffffff', 'pieLegendTextColor': '#1e1b4b', 'pieOuterStrokeColor': '#312e81'}}}%%
pie showData
    title Domain Registrars Distribution
    "NICENIC INTERNATIONAL GROUP CO., LIMITED" : 2
    "Hosting Concepts B.V. d/b/a Registrar.eu" : 1
Phishing Campaign ASN Hosting Pie Chart 
%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#6366f1', 'pieStrokeColor': '#1e1b4b', 'pieStrokeWidth': '2px', 'pieSectionTextColor': '#ffffff', 'pieLegendTextColor': '#1e1b4b', 'pieOuterStrokeColor': '#312e81'}}}%%
pie showData
    title ASN Hosting Distribution
    "AS213021 Prime" : 7

Screenshots

(Screenshots for some scans may not display or may not contain complete or correct content for various reasons, which can be seen on the specific scan page)

Screenshots

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Scans

  • app-trust.co.com - https://urlscan.io/result/019b0c18-c6c3-7428-ab09-92637da4a360/
  • trastwallet.co.com - https://urlscan.io/result/019b0c18-cb7f-70f9-9ecd-b601669a3625/
  • trustwallett.co.com - https://urlscan.io/result/019b0c18-d23a-727b-90a8-3be378ab2e84/
  • en-trust.co.com - https://urlscan.io/result/019b0c18-d832-758f-be7a-577211be41f1/
  • trustwallet-app.io - https://urlscan.io/result/019b0c18-dee5-7055-9015-8dac4871295d/
  • trustwallet-com.to - https://urlscan.io/result/019b0c19-cbfa-75b4-b9ac-0b1697c46e4c/
  • trustwallet-pc.to - https://urlscan.io/result/019b0c19-d4e1-7609-ac93-4bfadd40da15/

Report Metadata ID: 20e61abf2274c9ac228 | Timestamp: 11.12.2025 06:38:16 UTC | Domains: 7 | (Total) Detections: VT: 24 | Spamhaus: 7 | APVA: 3 | Attack Vector: Phishing

ninjacatcher avatar Dec 11 '25 06:12 ninjacatcher