Editorial mirrorBrand mentions redacted to public IDs. Hover to inspect. Everything else is theatre.How it works
THE ENABLERS REGISTRYRegistrar accountability archive
Archive LiveRead-only public record · No ads · No tracking
Case file folder with redacted documents and confidential investigation report.
CASE / ANALYTICS

December 2025 Phishing Threat Report — THE ENABLERS REGISTRY Analytics

The Enablers Registry·Editorial mirror·/analytics/

Public record copy. Brand names withheld, public accreditation numbers preserved. If the body below says “we”, that means the original publisher, not this mirror. TER only preserves, redacts, and re-contextualizes.

December 2025 Intelligence Report 6.4%
11,769
8,738
Taken Down
3,031
Still Live
74.2%
Kill Rate
2464h
Avg Response
10.0
Avg VT Score

In December 2025, THE ENABLERS REGISTRY detected <strong>11,773</strong> possibly phishing domains, marking a <strong>6.4%</strong> decrease from the previous month. The takedown rate was <strong>76.3%</strong>, with <strong>8,978</strong> domains neutralized. Notably, <strong>Crypto Scam</strong> targeting remains prevalent with <strong>820</strong> domains, while <strong>[REDACTED]</strong> emerged as the top registrar for abuse cases. The operational impact shows effective takedown efforts, though the mean registrar response time of <strong>1452.7</strong> hours indicates room for improvement in response speed.

  • <strong>[REDACTED]</strong> leads registrar abuse with <strong>1268</strong> cases, necessitating focused intervention.
  • Crypto-related brands like <strong>NASDAQ:COIN</strong> and <strong>FinCEN MSB #31000023456789</strong> are primary targets, overshadowing traditional banking sectors.
  • The <strong>.com</strong> TLD remains the most weaponized with <strong>3816</strong> domains, followed by <strong>.app</strong> and <strong>.dev</strong>.
  • The <strong>Angel Drainer</strong> kit is the most used, posing significant threats to victims' wallets through direct fund extraction.
  • The US hosts the majority of possibly phishing infrastructure with <strong>8798</strong> domains, indicating a need for enhanced monitoring in this region.
  • Detection-to-takedown efficiency remains robust at <strong>76.3%</strong>, but the slow registrar response time highlights a critical gap.
Outlook
As we move into January 2026, defenders should anticipate continued targeting of crypto platforms, especially given the dominance of the <strong>Angel Drainer</strong> kit. Registrars like <strong>[REDACTED]</strong> and <strong>[REDACTED]</strong> require escalation to improve response times. Watch for potential shifts in TLD usage and geographic hosting patterns.

December 2025 Domains (11,769)

Sorted by VirusTotal detections. Click any domain for full security report.

Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTLive
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of accounts.marketwebb.mobi
accounts.marketwebb.mobi
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTLive
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTLive
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of airdropalerts.lol
airdropalerts.lol
17 VTTaken Down
Screenshot of aktiiffkaanpaylaterrs.resmii-iid2.my.id
aktiiffkaanpaylaterrs.resmii-iid2.my.id
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of allegrolokalnie.6721842.cfd
allegrolokalnie.6721842.cfd
17 VTTaken Down
Screenshot of alyananx-nindoz.spaceinewsn.my.id
alyananx-nindoz.spaceinewsn.my.id
17 VTTaken Down
Screenshot of amazon.codecipher.dev
amazon.codecipher.dev
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTLive
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken DownSolana Drainer
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTLive
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken DownWallet Connect Abuse
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of bafkreicbdkvqb7e2flcg4wm6okkyijx5zmut7aamqxeq5s7kmr7syai5xa.ipfs.dweb.link
bafkreicbdkvqb7e2flcg4wm6okkyijx5zmut7aamqxeq5s7kmr7syai5xa.ipfs.dweb.link
17 VTLive
Screenshot of bafkreieqjvun2nolv7w6bfnnehceayo2relpnw36xmjtytwpynccqf5wke.ipfs.dweb.link
bafkreieqjvun2nolv7w6bfnnehceayo2relpnw36xmjtytwpynccqf5wke.ipfs.dweb.link
17 VTTaken Down
Screenshot of bafkreiezz7szm2v5hdurd4odopuw42wyqmyqeo4kmdafhzuhdqmshljdpa.ipfs.w3s.link
bafkreiezz7szm2v5hdurd4odopuw42wyqmyqeo4kmdafhzuhdqmshljdpa.ipfs.w3s.link
17 VTLive
Screenshot of bafkreihpec5h3lagmctlyyobawh3wffvtpk44srberrpyspxntqteq53qq.ipfs.dweb.link
bafkreihpec5h3lagmctlyyobawh3wffvtpk44srberrpyspxntqteq53qq.ipfs.dweb.link
17 VTLive
Screenshot of bafybeialhrwzqxqwwecyjmub6gn4ehoajt64dcpsaxtu6b5ier4zowx3de.ipfs.dweb.link
bafybeialhrwzqxqwwecyjmub6gn4ehoajt64dcpsaxtu6b5ier4zowx3de.ipfs.dweb.link
17 VTLive
Screenshot of bafybeib7qftc7bgvhkdew2purmpqalnn2knkwefxjdgeuskqd5spht4jym.ipfs.dweb.link
bafybeib7qftc7bgvhkdew2purmpqalnn2knkwefxjdgeuskqd5spht4jym.ipfs.dweb.link
17 VTLive
Screenshot of bafybeicdaibqcinsl5c2zhd7jgycr5pefqe3bann36wpwwqi2gmjnbzb6u.ipfs.dweb.link
bafybeicdaibqcinsl5c2zhd7jgycr5pefqe3bann36wpwwqi2gmjnbzb6u.ipfs.dweb.link
17 VTLive
Screenshot of [REDACTED]
[REDACTED]
17 VTLive
Screenshot of [REDACTED]
[REDACTED]
17 VTLive
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
Screenshot of beklemebasvur.sbs
beklemebasvur.sbs
17 VTTaken Down
Screenshot of [REDACTED]
[REDACTED]
17 VTTaken Down
« Prev ... 19 20 21 22 23 24 25 ... Next »

Detection Trends

Monthly domain volume, kill rate, and live threats over time.

Monthly Detected Domains

Kill Rate %

Continue browsing the ledger

This page is the editorial mirror. Brand names are redacted to public IANA / business identifiers. Use the index to navigate other case files.

Open registrar ledger → All briefings