🔴 LIVE INVESTIGATION FEED · Auto-updated · Last fetch 2026-06-23

US  ██████████████████        493 (32.2%)
RU  █████░░░░░░░░░░░░░        152 (9.9%)
GB  ████░░░░░░░░░░░░░░        130 (8.5%)
DE  ████░░░░░░░░░░░░░░        117 (7.6%)
NL  ███░░░░░░░░░░░░░░░         97 (6.3%)
CA  ███░░░░░░░░░░░░░░░         86 (5.6%)
BZ  ██░░░░░░░░░░░░░░░░         72 (4.7%)
UA  ██░░░░░░░░░░░░░░░░         63 (4.1%)

login (43) · binance (35) · ledger (31) · secure (29) · trust (29) · support (28) · official (27) · crypto (23) · vault (22) · connect (21) · coinbase (21) · wallet (17) · verify (16) · bridge (13) · swap (12)

📊 Live web dashboard: see Pages link at top · Updated daily 06:00 UTC

This repository is the Phase II evidence package of the PhishDestroy investigation into Trustname.com / Fewmoretaps OÜ (IANA registrar ID #4318).

Phase I — operator profile and corporate forensics is published as a standalone article on the PhishDestroy site: 📰 phishdestroy.io/trustname-bulletproof-exposed

This README does not duplicate Phase I material. Refer to the Phase I article for entity, officer, financial, and infrastructure findings.

Phase II — this repository — quantifies the abuse footprint by enumerating every domain in the registrar's zone. Rather than sampling, every domain is processed through a four-stage technical pipeline:

       ╭────────────────────╮      ╭────────────────────╮      ╭────────────────────╮      ╭────────────────────╮
       │   1. AWS Lambda    │ ───▶ │  2. Headless       │ ───▶ │  3. CF Deep Scan   │ ───▶ │  4. AI            │
       │   HTTP fingerprint │      │     Browser render │      │     + 2captcha     │      │     classification │
       │   80 conc / inv.   │      │     Playwright     │      │     SOCKS5 pool    │      │     Llama 3.1     │
       ╰────────────────────╯      ╰────────────────────╯      ╰────────────────────╯      ╰────────────────────╯
              7,641                       7,641                       2,182                       2,434
              domains                     domains                     protected targets           classified

Phase II in one sentence: of the 2,583 domains under this registrar that actually serve content, 2,221 (86 %) are confirmed malicious — phishing, carding, crypto drainers, malware distribution, illegal-drug sales, and unlicensed gambling. The remaining 5,058 are dead or parked. The complete per-domain dataset, screenshots, and operator-cluster analysis live in this repository.

Operator identity, corporate-registry details, and financial profile are covered in Phase I: phishdestroy.io/trustname-bulletproof-exposed

🔥 Of the domains in this registrar's zone that actually serve content, only 1 in 7 is legitimate.

📄 Full per-domain data: data/enriched.csv

Domains grouped by shared server fingerprint (SHA-256 prefix) and favicon MurmurHash3. Shared fingerprint = same hosting stack / same operator template — evidence of coordinated infrastructure, not unrelated registrants.

🎯 A single server fingerprint 811e0897f489 accounts for 21.9 % of the entire registrar zone. The "Elon" favicon cluster identified here directly extends the six-domain operator group described in Phase I.

Full cluster data: case/CLUSTERS.md

All artefacts are content-addressed by SHA-256 to support chain-of-custody verification.

📋 Detailed chain-of-custody documentation: PROVENANCE.md

# verify any archive
sha256sum pkg/raw_data/enriched.csv.gz
# expected prefix: a2a6f5fda9f364aa…

# verify all 1,953 screenshots against the manifest
cd docs/screenshots && sha256sum -c ../../evidence/HASHES.txt

Full per-domain narrative: case/HIGH_SEVERITY.md

This report is structured as an evidence package for criminal and financial-intelligence agencies, not as an ICANN compliance filing.

ICANN's mandate is technical stability of the DNS, not fraud policing. The Registrar Accreditation Agreement is a contract; an RAA §3.18 violation is a breach of contract, not a crime. Accreditation revocation is an administrative process measured in years.

Fewmoretaps OÜ collects registration revenue from operators conducting wire fraud, credential theft, carding, and cryptocurrency theft — establishing a knowing position in the criminal money flow. Criminal liability does not require ICANN action as a prerequisite.

trustname-evidence/
├── 📊 docs/                                 GitHub Pages site
│   ├── index.html                          Executive report — metrics, charts, gallery
│   ├── domains.html                        Searchable per-domain table (7,641)
│   ├── data.json                           Slim dataset for the live report
│   ├── build_datajson.py                   Generator: enriched.csv → data.json
│   ├── sitemap.xml / robots.txt / .nojekyll
│   └── screenshots/                        Local mirror; ignored by git, publish via S3/Git LFS
├── 📁 data/                                 Source datasets
│   ├── enriched.csv                        Full per-domain dataset
│   ├── high_severity.csv                   HIGH-only filtered subset
│   └── dead_domains.csv                    Dead / parked enumeration
├── 🚫 ioc/                                  Indicators of Compromise
│   ├── domains_high.txt                    1,114 HIGH blocklist
│   ├── domains_all_malicious.txt           2,221 HIGH + MEDIUM blocklist
│   └── indicators.csv                      SIEM-ready
├── 🔐 evidence/
│   ├── screenshots/                        Local screenshot archive; ignored by git
│   └── HASHES.txt                          SHA-256 manifest
├── 📄 case/                                 Narrative reports
│   ├── INVESTIGATION.md
│   ├── HIGH_SEVERITY.md
│   └── CLUSTERS.md
├── 📦 pkg/raw_data/                         Compressed raw scan output
│   ├── enriched.csv.gz
│   ├── lambda_results.jsonl.gz
│   ├── deep_results.jsonl.gz
│   └── threat_intel.jsonl.gz
├── 🔧 .github/workflows/pages.yml           Auto-build & deploy
├── 📄 PROVENANCE.md                         Chain of custody
├── 📄 VERIFY.md                             Hash verification and release signing
├── 📄 NOTICE.md                             TLP:CLEAR and evidence-use notice
├── 📄 CITATION.cff                          Citation metadata
├── 🔐 SHA256SUMS.txt                        Repository SHA-256 manifest
├── 📜 LICENSE                               MIT
└── 📖 README.md

PhishDestroy is an independent anti-phishing and anti-fraud research project. Our work includes:

• Domain abuse detection at scale — complete-zone scans of accused-bulletproof registrars, real-time IOC feed publication, infrastructure clustering
• Operator attribution — corporate-registry forensics, payment-rail tracing, fake-review forensics, infrastructure mapping
• Public evidence packages — TLP:CLEAR, MIT-licensed, formatted for ICANN compliance, law-enforcement intake, and academic citation

🌐 Main site & research index: phishdestroy.io 📚 Investigation archive: phishdestroy.io/articles 🐙 Code & datasets: github.com/phishdestroy

@misc{phishdestroy_trustname_2026,
  author       = {PhishDestroy Research},
  title        = {Fewmoretaps O\"U / Trustname.com --- Registrar Zone Evidence
                  (Phase II of the Trustname Investigation)},
  year         = 2026,
  month        = jun,
  howpublished = {GitHub},
  url          = {https://github.com/phishdestroy/trustname-evidence}
}

Plain text:

PhishDestroy. (2026). Fewmoretaps OÜ / Trustname.com — Registrar Zone Evidence
(Phase II of the Trustname investigation). GitHub.
https://github.com/phishdestroy/trustname-evidence

All data in this repository was collected exclusively from publicly accessible sources:

No non-public systems were accessed. No credentials were tested. No authentication was bypassed. No victim data was processed.

This publication is conducted under:

• ICANN Registrar Accreditation Agreement §3.18 (abuse response obligations)
• CISA Coordinated Vulnerability Disclosure guidelines
• FIRST.org TLP:CLEAR definition — unlimited public sharing permitted

This research documents objectively verifiable facts: domain registration patterns, HTTP response content, and registrar abuse-response latency. Trustname.com / Fewmoretaps OÜ is an ICANN-accredited registrar bound by public accountability obligations.

Publication of factual evidence of contractual non-compliance with ICANN's abuse-response requirements is not defamation — it is the function those requirements were designed to enable. Registrars that maintain functional abuse response pipelines have nothing to fear from this disclosure.

If Trustname disputes any finding: submit documented evidence via phishdestroy.io. Findings supported by evidence will be corrected in a timestamped update.

This investigation is part of a series documenting ICANN-accredited registrars that systematically obstruct anti-phishing enforcement or directly profit from fraud infrastructure.

Fewmoretaps ÖÜ is registered in Estonia but operated entirely by Belarusian nationals with zero legitimate business activity:

Original Founder (2021–2023):

Current Owner / CEO (since 23.05.2023):

Estonia is used exclusively as a jurisdiction of convenience. The company has one employee (Nestsiarovich himself), €120 declared revenue in 2024 against €175,310 in long-term liabilities, and is currently under liquidation.

What Trustname.com claims:

• "#1 fastest growing independent registrar in 2025"
• "Trusted by millions"
• Fortune 500 clients: McDonald's, Vodafone, Adidas, Yahoo, BCG
• "Team of over 35 people"
• Offices in London, Beverly Hills, Melbourne
• "Since 1997"

What Estonian tax filings show:

• €120 total revenue (2024)
• 1 employee (Nestsiarovich)
• Incorporated 2021 — not 1997
• Company under liquidation proceedings
• Virtual office address only
• 30 fake website testimonials — only 11 unique first names ("Jack" ×5, "Lily" ×6)

The gap between the marketing front and the corporate reality is not a discrepancy — it is the business model.

Accepting Monero (XMR) — a cryptocurrency specifically designed to be untraceable — while declaring €120 annual revenue and holding an ICANN accreditation is not a compliance edge case. It is a structural violation of Estonian AML law and VASP licensing requirements.

Active scam casino domains registered through IANA #4318 in April 2026, all shielded by registrar-owned privacy proxies:

Shared backend: gambler-partners.is — Russian-language admin panel titled "Gambler | Главная"

Trustname operates two registrar-owned privacy proxy services to shield its fraud customers:

• harakiri.org — Perfect Privacy LLC, Saint Kitts & Nevis — accepts BTC, LTC, XMR, ZEC
• whoispps.com — WHOIS Privacy Protection LLC, Orlando FL — "Physical mail is discarded"

• Domains with full evidence packages survive abuse reports without suspension.
• Registration revenue and crypto payments flow from operators running wire fraud, credential theft, and casino scams — knowing position in criminal money flow.
• Company is under liquidation, yet ICANN accreditation remains active — enforcement lag creates an operational window for ongoing abuse.
• As an EU-registered entity subject to Estonian AML/CFT law and the EU's VASP framework, Fewmoretaps is operating a de facto unlicensed crypto exchange.
• Direct abuse reports with evidence: ignored or met with form-letter non-responses.
• Criminal liability under Estonian law does not require prior ICANN action.

"€120 revenue. €175,310 liabilities. Monero accepted. One employee. ICANN-accredited. Under liquidation. This is not a registrar — it is a fraud infrastructure service with a compliance veneer."

Full Phase I investigation: phishdestroy.io/trustname-bulletproof-exposed

PhishDestroy Research · Phase II · June 2026 · TLP:CLEAR