Blocked domains
irys.xyz
gateway.irys.xyz
uploader.irys.xyz
Why should this be unblocked?
Hello PhishDestroy team,
I am Gustavo Lobo, CMO at Irys (https://irys.xyz), a Layer-1 programmable datachain. I am writing to appeal the classification of uploader.irys.xyz on your DestroyList.
Case reference: PD-20260210-ED4ECE
Status. Your own report confirms the threat is resolved: takedown logged March 15, 2026, status "Domain Taken Down." I independently re-verified on June 10, 2026 that the flagged path (/4w6sSeVKynfcVSG9YUDe1LJHM4aMWNhgrFvvBk5QmZko) returns an empty response. The legitimate uploader.irys.xyz/ root endpoint returns the expected JSON wallet-address map used by the Irys SDK.
What happened. A third party uploaded a Phantom wallet drainer page (titled "Kumbaya," same kit as the phntmom.com typo-squat your report links to) through our permissionless storage gateway. This was not Irys content. The same abuse pattern periodically affects IPFS and Arweave gateways, since any permissionless data layer can be used to host arbitrary content by anonymous uploaders.
Active impersonator context. Worth noting that Irys is also being actively impersonated by unrelated phishing operators. Your own DestroyList already includes ethgasfoundation.app (case E10677F8, page title literally reads "gateway.irys.xyz"), and irys.vu is a confirmed Angel Drainer kit. We monitor for both impersonation and infrastructure abuse, and publish the impersonator list at https://irys.xyz/security. Two unrelated phishing operators independently impersonating Irys infrastructure is evidence that Irys is a target, not an operator.
About Irys. Irys is a storage infrastructure for AI and blockchain developers. Mainnet launched November 25, 2025 (press release: https://chainwire.org/2025/11/25/irys-arrives-the-first-programmable-datachain-purpose-built-for-ai-launches-mainnet/). Backed by CoinFund. Token listed on Coinbase (https://www.coinbase.com/price/irys), CoinGecko, and CoinMarketCap. Open-source SDK at https://github.com/Irys-xyz.
Our remediation.
- The abusive content has been offline since March 15, 2026 (verified by PhishDestroy and re-verified by me on June 10, 2026).
- We have published https://irys.xyz/.well-known/security.txt per RFC 9116 with a security contact channel for future false-positive disputes and abuse reports.
- We have published a public security policy at https://irys.xyz/security documenting our 24-hour abuse-handling SLA, full subdomain inventory, and impersonator list.
- We are extending automated abuse scanning to all permissionless content surfaces (uploader.irys.xyz, gateway.irys.xyz, and our CDN infrastructure) so takedown stays ahead of feed propagation.
What we are asking. Please remove uploader.irys.xyz from the DestroyList, given that the threat has been resolved for three months and the parent project has now-published security infrastructure. We also ask you to revisit gateway.irys.xyz where I have re-verified the same path is offline.
Forensic evidence preserved for your reference:
Happy to provide additional documentation: corporate registration, takedown logs, or a video call with engineering.
Contact:
Thank you,
Gustavo Lobo
CMO, Irys
Contact email (optional)
security@irys.xyz
Duplicate check
Blocked domains
irys.xyz
gateway.irys.xyz
uploader.irys.xyz
Why should this be unblocked?
Hello PhishDestroy team,
I am Gustavo Lobo, CMO at Irys (https://irys.xyz), a Layer-1 programmable datachain. I am writing to appeal the classification of uploader.irys.xyz on your DestroyList.
Case reference: PD-20260210-ED4ECE
Status. Your own report confirms the threat is resolved: takedown logged March 15, 2026, status "Domain Taken Down." I independently re-verified on June 10, 2026 that the flagged path (/4w6sSeVKynfcVSG9YUDe1LJHM4aMWNhgrFvvBk5QmZko) returns an empty response. The legitimate uploader.irys.xyz/ root endpoint returns the expected JSON wallet-address map used by the Irys SDK.
What happened. A third party uploaded a Phantom wallet drainer page (titled "Kumbaya," same kit as the phntmom.com typo-squat your report links to) through our permissionless storage gateway. This was not Irys content. The same abuse pattern periodically affects IPFS and Arweave gateways, since any permissionless data layer can be used to host arbitrary content by anonymous uploaders.
Active impersonator context. Worth noting that Irys is also being actively impersonated by unrelated phishing operators. Your own DestroyList already includes ethgasfoundation.app (case E10677F8, page title literally reads "gateway.irys.xyz"), and irys.vu is a confirmed Angel Drainer kit. We monitor for both impersonation and infrastructure abuse, and publish the impersonator list at https://irys.xyz/security. Two unrelated phishing operators independently impersonating Irys infrastructure is evidence that Irys is a target, not an operator.
About Irys. Irys is a storage infrastructure for AI and blockchain developers. Mainnet launched November 25, 2025 (press release: https://chainwire.org/2025/11/25/irys-arrives-the-first-programmable-datachain-purpose-built-for-ai-launches-mainnet/). Backed by CoinFund. Token listed on Coinbase (https://www.coinbase.com/price/irys), CoinGecko, and CoinMarketCap. Open-source SDK at https://github.com/Irys-xyz.
Our remediation.
What we are asking. Please remove uploader.irys.xyz from the DestroyList, given that the threat has been resolved for three months and the parent project has now-published security infrastructure. We also ask you to revisit gateway.irys.xyz where I have re-verified the same path is offline.
Forensic evidence preserved for your reference:
Happy to provide additional documentation: corporate registration, takedown logs, or a video call with engineering.
Contact:
Thank you,
Gustavo Lobo
CMO, Irys
Contact email (optional)
security@irys.xyz
Duplicate check