---

🔴 LIVE INVESTIGATION FEED · Auto-updated · Last fetch 2026-06-24

📦 Domains tracked 9,536

💰 Est. revenue \$80,029

📡 Deployed 66.4%

✅ Confirmed phishing 35.9% (3,428)

⚡ Fresh (≤7d) 6.7%

🕵️ Serial regs 3

🏷️ Top TLD Zones

TLD	Count	Avg Reg Period	Est. Revenue
.com	7,508	418d	$67,497
.icu	620	365d	$614
.net	438	434d	$4,376
.org	369	510d	$3,686
.app	81	365d	$1,134
.cam	78	365d	$389
.pro	54	425d	$431
.cyou	50	365d	$50
.xyz	35	396d	$52
.info	34	483d	$136

🌍 Top Hosting Countries

US  ██████████████████        506 (32.6%)
RU  █████░░░░░░░░░░░░░        152 (9.8%)
GB  ████░░░░░░░░░░░░░░        131 (8.4%)
DE  ████░░░░░░░░░░░░░░        118 (7.6%)
NL  ███░░░░░░░░░░░░░░░         97 (6.2%)
CA  ███░░░░░░░░░░░░░░░         87 (5.6%)
BZ  ██░░░░░░░░░░░░░░░░         72 (4.6%)
UA  ██░░░░░░░░░░░░░░░░         66 (4.2%)

📈 Registration Burst Days

Date	Domains	× Average
2026-06-15	232	11.2× 🚨
2026-06-08	202	9.8× 🚨
2026-06-17	202	9.8× 🚨
2026-06-10	191	9.2× 🚨
2026-06-04	169	8.2× 🚨

🎯 Top Targeted Brands & Keywords

login (44) · binance (35) · ledger (31) · secure (30) · trust (29) · support (28) · official (27) · crypto (23) · coinbase (22) · vault (22) · connect (21) · wallet (17) · verify (16) · swap (13) · bridge (13)

🕵️ Top Serial Registrants — 5 emails with ≥5 domains

#	Registrant Email (redacted)	Domains
1	m***@unternehmen.de	23
2	sup***@mxl.zendesk.com	18
3	sup***@stake.com	13
4	hel***@wingstop.com	7
5	s***@email.com	5

📥 Download Threat Intelligence

File	Format	Description
data/all.txt	TXT	All tracked domains
data/index.json	JSON	Full analytics snapshot
data/ioc/serial_registrants.json	JSON	Repeat registrants + their domains
data/ioc/shared_ips.json	JSON	Bulletproof hosting clusters
data/ioc/brand_domains.json	JSON	Domains by targeted brand
data/ioc/stix-bundle.json	STIX 2.1	MISP/OpenCTI ready bundle
data/ioc/serial_emails.txt	TXT	grep-friendly: email⇥count
data/ioc/shared_ips.txt	TXT	grep-friendly: ip⇥count⇥country

📊 Live web dashboard: see Pages link at top · Updated daily 06:00 UTC

---

📑 Table of Contents

Investigation 1 · Background 2 · Subject 3 · Scope and Coverage 4 · Methodology

Evidence 5 · Headline Findings 6 · Operator Clusters 7 · Evidence Archive 8 · Notable Confirmed Cases

Legal / Reuse 9 · Enforcement Posture 10 · Repository Structure 11 · Mirrors 12 · Citation & License

---

1 · Background

This repository is the Phase II evidence package of the PhishDestroy investigation into Trustname.com / Fewmoretaps OÜ (IANA registrar ID #4318).

Phase I — operator profile and corporate forensics is published as a standalone article on the PhishDestroy site: 📰 phishdestroy.io/trustname-bulletproof-exposed

This README does not duplicate Phase I material. Refer to the Phase I article for entity, officer, financial, and infrastructure findings.

Phase II — this repository — quantifies the abuse footprint by enumerating every domain in the registrar's zone. Rather than sampling, every domain is processed through a four-stage technical pipeline:

       ╭────────────────────╮      ╭────────────────────╮      ╭────────────────────╮      ╭────────────────────╮
       │   1. AWS Lambda    │ ───▶ │  2. Headless       │ ───▶ │  3. CF Deep Scan   │ ───▶ │  4. AI            │
       │   HTTP fingerprint │      │     Browser render │      │     + 2captcha     │      │     classification │
       │   80 conc / inv.   │      │     Playwright     │      │     SOCKS5 pool    │      │     Llama 3.1     │
       ╰────────────────────╯      ╰────────────────────╯      ╰────────────────────╯      ╰────────────────────╯
              7,641                       7,641                       2,182                       2,434
              domains                     domains                     protected targets           classified

Phase II in one sentence: of the 2,583 domains under this registrar that actually serve content, 2,221 (86 %) are confirmed malicious — phishing, carding, crypto drainers, malware distribution, illegal-drug sales, and unlicensed gambling. The remaining 5,058 are dead or parked. The complete per-domain dataset, screenshots, and operator-cluster analysis live in this repository.

---

2 · Subject

Field	Value
🏢 Legal entity	Fewmoretaps OÜ
🌐 DBA	Trustname.com
🆔 ICANN / IANA ID	#4318
🇪🇪 Jurisdiction	Estonia (EU)

Operator identity, corporate-registry details, and financial profile are covered in Phase I: phishdestroy.io/trustname-bulletproof-exposed

---

3 · Scope and Coverage

Parameter	Value
📆 Scan window	June 2026
📊 Domains in scope	7,641 — all domains under registrar management
🎯 Sampling	None — complete-zone enumeration
🌐 Network coverage	Full HTTP + headless browser for every domain
☁ Cloudflare-protected	2,072 domains identified in the enriched dataset
🧩 Phase 3 re-scan targets	2,182 blocked / challenged domains re-scanned via proxy + 2captcha
🧩 CAPTCHAs solved	92 (hCaptcha · reCAPTCHA v2/v3 · Cloudflare Turnstile)
📷 Screenshots captured	1,953
🤖 AI-classified content	2,434 domains
🛡 Threat-intel feeds	Spamhaus DBL · SURBL · URLhaus · ThreatFox

---

4 · Methodology

🔍 Phase 1 — HTTP Fingerprint (AWS Lambda)

Runtime	Python 3.11 + `aiohttp$, \text{deployed} \text{to} \text{AWS} \text{Lambda}
\text{Concurrency}	80 \text{requests} / \text{invocation} \times 77 \text{parallel} \text{invocations}
\text{User}-\text{Agent}	\text{Googlebot} (\text{cloaking} \text{bypass})
$favicon_mmh3`	MurmurHash3 32-bit of /favicon.ico — Shodan-compatible
server_fp	SHA-256 of server ‖ content-type ‖ x-powered-by
simhash	64-bit body SimHash for near-duplicate detection

🖥 Phase 2 — Browser Render (Playwright)

Runtime	Playwright 1.40 + playwright-stealth v2, headless Chromium
Isolation	new browser context per domain (prevents `TargetClosedError$ \text{cascade})
\text{Capture}	\text{Full}-\text{page} \text{screenshot} 1280 \times 800, \text{DOM} \text{dump}, \text{form}-\text{field} \text{inventory}

\text{Form}-\text{field} \text{semantic} \text{flags}: $seed_phrase·private_key·wallet_addr·card_number·cvv·iban·sort_code·routing_number·password·otp_2fa·recovery_email·ssn·passport_number·dob`

☁ Phase 3 — Cloudflare Deep Scan

Scope	2,182 domains returning HTTP 403/503 from Phase 2
Proxy pool	2,600+ rotating SOCKS5 exits
CAPTCHA	2captcha API — hCaptcha · reCAPTCHA v2/v3 · Cloudflare Turnstile
Result	92 CAPTCHAs solved · 1,953 final screenshots

🤖 Phase 4 — AI Classification

Model	llama-3.1-8b-instant via Groq API
Input	(title, h1, meta_desc, body_text[:2000], form_labels)
Output	Natural-language description + category enum + severity score
DNSBL	Spamhaus DBL · SURBL
REST	URLhaus · ThreatFox (Abuse.ch)

---

📊 Headline Findings

🔥 Of the domains in this registrar's zone that actually serve content, only 1 in 7 is legitimate.

Category Breakdown

	Category	Count	Severity	Description
🎰	GAMBLING	733	🟠 MEDIUM	Unlicensed casino/betting; Turkish bahis cluster
🎣	PHISHING_GENERIC	396	🔴 HIGH	Credential harvesting (login, OTP, password)
🏦	PHISHING_FINANCE	236	🔴 HIGH	Bank/card/CVV harvesting
💳	CARDING	182	🔴 HIGH	Clone-card shops, dumps markets, money-mule
🪙	PHISHING_CRYPTO	178	🔴 HIGH	Wallet/exchange phishing (Ledger, Solflare, Pump.fun)
🎭	CRYPTO_SCAM	146	🔴 HIGH	Fake investment platforms, "Elon Musk" casinos
☣	MALWARE_DIST	105	🔴 HIGH	RAT shops, crackware, fake firmware updaters
™	BRAND_ABUSE	83	🟠 MEDIUM	Brand impersonation, typosquatting
🔞	ADULT	81	🟠 MEDIUM	Unlicensed adult content, escort/cams
🚰	CRYPTO_DRAIN	60	🔴 HIGH	Wallet drainers, seed-phrase forms
📨	SPAM_INFRA	56	🟠 MEDIUM	Email/SMS spam infrastructure
🔀	PROXY_VPN	48	🟠 MEDIUM	Proxy / VPN abuse services
💊	ILLEGAL_DRUGS	42	🔴 HIGH	Rx drugs without prescription
🔄	CRYPTO_MIXER	28	🔴 HIGH	Cryptocurrency mixing / laundering
🟢	ACTIVE	207	🟢 LOW	Responds, no confirmed malicious signal
🅿	PARKING	27	⚪ INFO	Parked / for sale
❌	ERROR	286	⚪ INFO	5xx, connection refused, no content
⚫	DEAD	4,745	⚪ INFO	No DNS / no response

📄 Full per-domain data: data/enriched.csv

---

🕸 Operator Clusters

Domains grouped by shared server fingerprint (SHA-256 prefix) and favicon MurmurHash3. Shared fingerprint = same hosting stack / same operator template — evidence of coordinated infrastructure, not unrelated registrants.

Cluster Key	Type	Domains	Primary Category
🔑 811e0897f489	server_fp	1,674	🎰 GAMBLING — Turkish bahis cluster
🔑 0ab5f121ab0d	server_fp	305	🎰 GAMBLING — multilingual casino
🔑 4492f7f3e69c	server_fp	161	💳 CARDING
🔑 d8c33640a2fc	server_fp	149	💳 CARDING
🔑 4b8db6e031cc	server_fp	122	🏦 PHISHING_FINANCE — 1xbet typosquats
🔑 24be2aa9d598	server_fp	104	❌ ERROR (dormant abuse infra)
🖼 -736095526	favicon_mmh3	88	🎭 CRYPTO_SCAM — "Elon" casino cluster — overlaps Phase I
🖼 1869784862	favicon_mmh3	34	🪙 PHISHING_CRYPTO — Solana drainer cluster
🔑 a1b77bce0100	server_fp	28	☣ MALWARE_DIST — Binance impersonation

🎯 A single server fingerprint 811e0897f489 accounts for 21.9 % of the entire registrar zone. The "Elon" favicon cluster identified here directly extends the six-domain operator group described in Phase I.

Full cluster data: case/CLUSTERS.md

---

📦 Evidence Archive

All artefacts are content-addressed by SHA-256 to support chain-of-custody verification.

Path	Size	SHA-256 (16)	Contents
📊 data/enriched.csv	2.8 MB	83ea143175d8a378	Full enriched dataset — all 7,641 domains, all columns
📊 data/high_severity.csv	748 KB	ecee3b68b2fb34c8	HIGH-only filtered subset
📊 data/dead_domains.csv	742 KB	5ee84646c6872591	Dead / parked / error enumeration
🚫 ioc/domains_high.txt	19 KB	ec9e43c15ff3cffc	Production blocklist — 1,114 HIGH domains
🚫 ioc/domains_all_malicious.txt	39 KB	d27809c1a099c019	HIGH + MEDIUM blocklist — 2,221 domains
🛡 ioc/indicators.csv	775 KB	4e9dcd3840be9f9a	SIEM indicators — IP, server_fp, favicon_mmh3, category, severity
🔐 evidence/HASHES.txt	168 KB	131ff258bd0c058c	SHA-256 of all 1,953 screenshots
📦 pkg/raw_data/enriched.csv.gz	560 KB	a2a6f5fda9f364aa	Compressed enriched dataset
📦 pkg/raw_data/lambda_results.jsonl.gz	509 KB	c0add17921efada8	Phase 1 — HTTP fingerprint raw output
📦 pkg/raw_data/deep_results.jsonl.gz	1.1 MB	60b943f03e7ac926	Phase 2/3 — browser render raw output
📦 pkg/raw_data/threat_intel.jsonl.gz	74 KB	4a92dafe955b60d4	Threat-intel cross-reference

📋 Detailed chain-of-custody documentation: PROVENANCE.md

🔍 Verification

# verify any archive
sha256sum pkg/raw_data/enriched.csv.gz
# expected prefix: a2a6f5fda9f364aa…

# verify all 1,953 screenshots against the manifest
cd docs/screenshots && sha256sum -c ../../evidence/HASHES.txt

---

🎯 Notable Confirmed Cases

Domain	Category	Evidence
💳 buyclonecards.bond	CARDING	Explicit clone-card shop, CVV dumps market
☣ thebtmob.com	MALWARE_DIST	Active BT-MOB RAT shop, malware-as-a-service
🚰 fragapi.com	CRYPTO_DRAIN	Seed-phrase harvesting form (browser-confirmed)
🚰 instasolana.bond	CRYPTO_DRAIN	Solana wallet drainer, 1,674-domain shared infra
🪙 purnp-fun.com	PHISHING_CRYPTO	Fake Pump.fun / Solflare phishing page
☣ kmspico.zip	MALWARE_DIST	Malware under crack/keygen disguise
💳 rollmaneycontrol.bond	CARDING	Money-mule / fund-transfer fraud

Full per-domain narrative: case/HIGH_SEVERITY.md

---

⚖ Enforcement Posture

This report is structured as an evidence package for criminal and financial-intelligence agencies, not as an ICANN compliance filing.

ICANN's mandate is technical stability of the DNS, not fraud policing. The Registrar Accreditation Agreement is a contract; an RAA §3.18 violation is a breach of contract, not a crime. Accreditation revocation is an administrative process measured in years.

Fewmoretaps OÜ collects registration revenue from operators conducting wire fraud, credential theft, carding, and cryptocurrency theft — establishing a knowing position in the criminal money flow. Criminal liability does not require ICANN action as a prerequisite.

Agency	Jurisdictional Basis
🇪🇪 Politsei- ja Piirivalveamet	Primary registration jurisdiction · EU AML Directive
🇪🇪 CERT-EE / RIA	National CERT · cybercrime reporting authority
🇪🇺 Europol EC3	Cross-border cybercrime coordination · iForce referrals
🇺🇸 FBI IC3	Wire fraud (18 U.S.C. §1343), CFAA — US victims
🇺🇸 FinCEN	Money-services business violations · USD flow tracing

---

📂 Repository Structure

trustname-evidence/
├── 📊 docs/                                 GitHub Pages site
│   ├── index.html                          Executive report — metrics, charts, gallery
│   ├── domains.html                        Searchable per-domain table (7,641)
│   ├── data.json                           Slim dataset for the live report
│   ├── build_datajson.py                   Generator: enriched.csv → data.json
│   ├── sitemap.xml / robots.txt / .nojekyll
│   └── screenshots/                        Local mirror; ignored by git, publish via S3/Git LFS
├── 📁 data/                                 Source datasets
│   ├── enriched.csv                        Full per-domain dataset
│   ├── high_severity.csv                   HIGH-only filtered subset
│   └── dead_domains.csv                    Dead / parked enumeration
├── 🚫 ioc/                                  Indicators of Compromise
│   ├── domains_high.txt                    1,114 HIGH blocklist
│   ├── domains_all_malicious.txt           2,221 HIGH + MEDIUM blocklist
│   └── indicators.csv                      SIEM-ready
├── 🔐 evidence/
│   ├── screenshots/                        Local screenshot archive; ignored by git
│   └── HASHES.txt                          SHA-256 manifest
├── 📄 case/                                 Narrative reports
│   ├── INVESTIGATION.md
│   ├── HIGH_SEVERITY.md
│   └── CLUSTERS.md
├── 📦 pkg/raw_data/                         Compressed raw scan output
│   ├── enriched.csv.gz
│   ├── lambda_results.jsonl.gz
│   ├── deep_results.jsonl.gz
│   └── threat_intel.jsonl.gz
├── 🔧 .github/workflows/pages.yml           Auto-build & deploy
├── 📄 PROVENANCE.md                         Chain of custody
├── 📄 VERIFY.md                             Hash verification and release signing
├── 📄 NOTICE.md                             TLP:CLEAR and evidence-use notice
├── 📄 CITATION.cff                          Citation metadata
├── 🔐 SHA256SUMS.txt                        Repository SHA-256 manifest
├── 📜 LICENSE                               MIT
└── 📖 README.md

---

🌐 PhishDestroy

PhishDestroy is an independent anti-phishing and anti-fraud research project. Our work includes:

• Domain abuse detection at scale — complete-zone scans of accused-bulletproof registrars, real-time IOC feed publication, infrastructure clustering
• Operator attribution — corporate-registry forensics, payment-rail tracing, fake-review forensics, infrastructure mapping
• Public evidence packages — TLP:CLEAR, MIT-licensed, formatted for ICANN compliance, law-enforcement intake, and academic citation

🌐 Main site & research index: phishdestroy.io 📚 Investigation archive: phishdestroy.io/articles 🐙 Code & datasets: github.com/phishdestroy

🌐 Mirrors and Long-Term Access

Channel	Identifier
🐙 GitHub	phishdestroy/trustname-evidence
🌐 GitHub Pages	phishdestroy.github.io/trustname-evidence
📰 PhishDestroy publication	phishdestroy.io/trustname-bulletproof-exposed
🌐 PhishDestroy main site	phishdestroy.io
⏳ Wayback Machine	snapshot pinned on publication

---

📚 Citation

@misc{phishdestroy_trustname_2026,
  author       = {PhishDestroy Research},
  title        = {Fewmoretaps O\"U / Trustname.com --- Registrar Zone Evidence
                  (Phase II of the Trustname Investigation)},
  year         = 2026,
  month        = jun,
  howpublished = {GitHub},
  url          = {https://github.com/phishdestroy/trustname-evidence}
}

Plain text:

PhishDestroy. (2026). Fewmoretaps OÜ / Trustname.com — Registrar Zone Evidence
(Phase II of the Trustname investigation). GitHub.
https://github.com/phishdestroy/trustname-evidence

---

⚖️ Legal Notice & Responsible Disclosure

All data in this repository was collected exclusively from publicly accessible sources:

Source	Method
Zone file	ICANN CZDS — accredited access, permissible use
WHOIS	Public WHOIS protocol (RFC 3912)
HTTP responses	Passive crawl of publicly reachable URLs
DNS records	Passive DNS / authoritative queries
Screenshots	Rendered pages accessible to any browser

No non-public systems were accessed. No credentials were tested. No authentication was bypassed. No victim data was processed.

This publication is conducted under:

• ICANN Registrar Accreditation Agreement §3.18 (abuse response obligations)
• CISA Coordinated Vulnerability Disclosure guidelines
• FIRST.org TLP:CLEAR definition — unlimited public sharing permitted

Regarding Reputational Impact

This research documents objectively verifiable facts: domain registration patterns, HTTP response content, and registrar abuse-response latency. Trustname.com / Fewmoretaps OÜ is an ICANN-accredited registrar bound by public accountability obligations.

Publication of factual evidence of contractual non-compliance with ICANN's abuse-response requirements is not defamation — it is the function those requirements were designed to enable. Registrars that maintain functional abuse response pipelines have nothing to fear from this disclosure.

If Trustname disputes any finding: submit documented evidence via phishdestroy.io. Findings supported by evidence will be corrected in a timestamped update.

📜 License	MIT — see LICENSE
🏷 TLP	CLEAR — unlimited distribution, no restrictions
🤝 Sharing	Researchers, journalists, law enforcement, brand protection teams — use freely
📋 Evidence notice	NOTICE.md
🔏 Verification	VERIFY.md
🌐 Contact	phishdestroy.io

---

🕸️ Network of Complicit Registrars

This investigation is part of a series documenting ICANN-accredited registrars that systematically obstruct anti-phishing enforcement or directly profit from fraud infrastructure.

#	Registrar	IANA	Zone	Confirmed Malicious	Russian Connection	Investigation
1	NICENIC INTERNATIONAL GROUP	#3765	349,376	18,927 (50% of alive)	🇷🇺 #2 hosting country (8.5%)	nicenic-evidence · Live Report
2	Trustname.com / Fewmoretaps ÖÜ (this)	#4318	9,343	1,114 HIGH (86% alive)	🇷🇺 Russian-operated, Estonian shell	trustname-evidence · Live Report
3	NameSilo, LLC	#1479	5,251,494	183,419	🇷🇺 Russian team members, suppression campaign	namesilo-evidence · Live Report

---

🇷🇺 Russian Connection & Complicity Record

The Operators — Belarusian, Not Estonian

Fewmoretaps ÖÜ is registered in Estonia but operated entirely by Belarusian nationals with zero legitimate business activity:

Original Founder (2021–2023):

Field	Detail
Name	Vitali Tsyvinski
Nationality	Belarus
Personal ID	39403090187
Role	Sole board member & shareholder
Signed	2022 annual report on 13.01.2023

Current Owner / CEO (since 23.05.2023):

Field	Detail
Name	Kiryl Nestsiarovich ("Kir N.")
DOB	09.09.1993
Nationality	Belarus
Phone	+375 29 2964411 (MTS mobile, Belarusian carrier)
Shareholding	100%
Status	Listed as CEO on trustname.com/about

Estonia is used exclusively as a jurisdiction of convenience. The company has one employee (Nestsiarovich himself), €120 declared revenue in 2024 against €175,310 in long-term liabilities, and is currently under liquidation.

Financial Reality vs. Marketing Claims

What Trustname.com claims:

• "#1 fastest growing independent registrar in 2025"
• "Trusted by millions"
• Fortune 500 clients: McDonald's, Vodafone, Adidas, Yahoo, BCG
• "Team of over 35 people"
• Offices in London, Beverly Hills, Melbourne
• "Since 1997"

What Estonian tax filings show:

• €120 total revenue (2024)
• 1 employee (Nestsiarovich)
• Incorporated 2021 — not 1997
• Company under liquidation proceedings
• Virtual office address only
• 30 fake website testimonials — only 11 unique first names ("Jack" ×5, "Lily" ×6)

The gap between the marketing front and the corporate reality is not a discrepancy — it is the business model.

Crypto Wallets (Accept Monero — Untraceable)

Asset	Address
ETH	0xdee6582dc53fa56180311393018121c6f1e8bd7c
LTC	MEREvHtzqAUTJ1XvEevmci8UqMnDvfe2ri
ZEC	t1d19KevpcXpesr9XA9UUyMW9XGYVDxkK9S
XMR	8B5N29BocrTjkRCeGCARnkhKgBeHBhg4oH7ay4RfXfnL7RqBdyiuL4k6iN4GVUVxt1EQJvZRqLg8n4qgCNWmYHQQDZmfytM

Accepting Monero (XMR) — a cryptocurrency specifically designed to be untraceable — while declaring €120 annual revenue and holding an ICANN accreditation is not a compliance edge case. It is a structural violation of Estonian AML law and VASP licensing requirements.

Russian-Language Fraud Infrastructure

Active scam casino domains registered through IANA #4318 in April 2026, all shielded by registrar-owned privacy proxies:

Domain	Registered	Notes
noawin.com	04-12-2026	Privacy: Perfect Privacy LLC (St Kitts & Nevis)
henofex.com	04-09-2026	"Elon Musk" Casino scheme
jopexplay.com	04-10-2026	Cloudflare-blocked
bezowin159.pro	04-13-2026	Privacy: WHOIS Privacy Protection LLC
noswin152.pro	04-08-2026	—
bazowin781.pro	04-08-2026	—

Shared backend: gambler-partners.is — Russian-language admin panel titled "Gambler | Главная"

Trustname operates two registrar-owned privacy proxy services to shield its fraud customers:

• harakiri.org — Perfect Privacy LLC, Saint Kitts & Nevis — accepts BTC, LTC, XMR, ZEC
• whoispps.com — WHOIS Privacy Protection LLC, Orlando FL — "Physical mail is discarded"

Documented Obstruction

• Domains with full evidence packages survive abuse reports without suspension.
• Registration revenue and crypto payments flow from operators running wire fraud, credential theft, and casino scams — knowing position in criminal money flow.
• Company is under liquidation, yet ICANN accreditation remains active — enforcement lag creates an operational window for ongoing abuse.
• As an EU-registered entity subject to Estonian AML/CFT law and the EU's VASP framework, Fewmoretaps is operating a de facto unlicensed crypto exchange.
• Direct abuse reports with evidence: ignored or met with form-letter non-responses.
• Criminal liability under Estonian law does not require prior ICANN action.

"€120 revenue. €175,310 liabilities. Monero accepted. One employee. ICANN-accredited. Under liquidation. This is not a registrar — it is a fraud infrastructure service with a compliance veneer."

Full Phase I investigation: phishdestroy.io/trustname-bulletproof-exposed

🔗 Related Investigations

---