Anatomy of a Modern Phishing Infrastructure:
How Threat Actors Build and Rotate Attack Domains

Modern phishing campaigns no longer rely on a single throwaway domain. Instead, adversaries deploy layered infrastructure — a rotating constellation of attack domains backed by legitimate CDN providers, compromised subdomains, and freshly minted TLS certificates — designed to stay ahead of blocklist latency.

This report documents recurring infrastructure patterns observed across 1,400+ phishing campaigns analysed by the TrustSniffer engine between January and May 2026, with a focus on operations targeting Web3 wallets, DeFi protocols, and crypto exchanges.

CDN Abuse Patterns

The most prevalent tactic we observe is the abuse of CDN providers — particularly Cloudflare, Fastly, and BunnyCDN — to front phishing pages behind legitimate infrastructure. Because the originating IP belongs to the CDN, traditional IP-reputation blocklists fail entirely.

How It Works

An attacker registers a lookalike domain (e.g., uniswap-app[.]io), sets up a Cloudflare account under a disposable identity, and proxies the malicious origin server through Cloudflare's network. From the victim's perspective — and many automated scanners — the page appears to be "behind Cloudflare" and therefore legitimate.

"In 73% of CDN-abused campaigns we tracked, the phishing page was live for fewer than 6 hours before the CDN account was suspended — but that window was sufficient to harvest credentials from thousands of victims."

Our detection approach relies on behavioural fingerprinting of the page itself rather than IP reputation: JavaScript execution patterns, form submission endpoints, wallet-connect library versions, and DOM structure all provide classification signals independent of network infrastructure.

Subdomain Takeover

A secondary pattern involves identifying expired DNS records pointing to deprovisioned cloud services (S3 buckets, Heroku dynos, GitHub Pages). By claiming the orphaned resource, an attacker gains a *.legitimate-company.com subdomain — complete with an inherited trust reputation.

# Example: dangling CNAME pointing to unclaimed S3 bucket
$ dig +short CNAME wallet.targetexchange.com
targetexchange-wallet-prod.s3-website-us-east-1.amazonaws.com.

# Attacker claims the S3 bucket, hosts phishing page
# Result: wallet.targetexchange.com resolves to attacker content

TrustSniffer's DNS module continuously monitors CNAME chains for dangling references across tracked domains, generating alerts before adversaries can exploit them.

Certificate Harvesting as a Detection Signal

Every domain receiving a TLS certificate appears in the Certificate Transparency (CT) logs within minutes. By streaming CT logs and applying pattern-matching against known brand names, typosquat variants, and homoglyph substitutions, we can detect phishing infrastructure at the moment of provisioning — often before the domain resolves.

Detection Signals We Use

• CT log streaming with brand-similarity scoring (Levenshtein + homoglyph)
• JavaScript AST fingerprinting for known wallet-drain patterns
• Form action endpoint clustering across campaigns
• DOM structure hashing to detect page template reuse
• WHOIS velocity: newly registered domains with privacy guard
• MX record absence (phishing domains rarely need email delivery)

Indicator Table (Sample)

Conclusion

Effective phishing detection in 2026 requires moving beyond IP-reputation and static blocklists. The adversary has optimised specifically to defeat those controls. Signal-rich behavioural analysis — combining CT log streaming, DOM fingerprinting, DNS telemetry, and on-chain wallet correlation — is the only reliable approach at scale.

All indicators in this report have been ingested into the TrustSniffer threat database. You can query any domain against our intelligence pipeline directly from the Analysis Workbench.