Skip to content

[APPEAL] irys.xyz (REF 6E04C64E) — legitimate L1, status incorrectly marked Taken Down #308

Description

@gwolf96

Blocked domains

https://irys.xyz

Why should this be unblocked?

Hi PhishDestroy team,

I am Gustavo Lobo, CMO at Irys (https://irys.xyz). I am filing an appeal for the listing of irys.xyz (REF 6E04C64E, Risk Score 61/100, classification HIGH).

This is a classification error containing a factual inaccuracy that's verifiable in seconds.

Key issues with the current listing

1. The "Taken Down" status is wrong. irys.xyz is fully operational right now. It serves our marketing site, blog at /blog, documentation at docs.irys.xyz, security policy at /security, and abuse form at /report-abuse. A simple curl -I https://irys.xyz from any network will confirm. Whatever snapshot triggered the "offline" classification was misattributed or captured during a transient issue.

2. Your own classifier flags our security.txt as a positive signal. Quoting your Site Configuration Analysis on the listing: "security.txt is unusual for phishing — could indicate legitimate infrastructure." We deployed RFC 9116 security.txt at https://irys.xyz/.well-known/security.txt and a full security policy at https://irys.xyz/security on June 10, 2026. The security page documents:

  • Our complete subdomain inventory
  • Known impersonators (irys.vu and ethgasfoundation.app — both already on your DestroyList)
  • Our 24-hour abuse-handling SLA
  • All operated domains (datasprite-cdn.com, bundlr.network, irysnetwork.com, plus defensive registrations)

3. The WHOIS data in your report appears incorrect. Your report states the domain was "created on February 23, 2026" resolving to IP 192.99.13.108 (OVH). Irys (rebranded from Bundlr Network in 2024) has operated irys.xyz well before that, and our current infrastructure does not route through that IP. The "4 mo old" notation likely reflects an SSL certificate renewal (Let's Encrypt R12), not domain registration. Happy to provide WHOIS verification on request.

4. Only 1 of 95 VirusTotal vendors flags us. The single flag (Forcepoint ThreatSeeker) is downstream of the same incident affecting our uploader.irys.xyz subdomain, propagating through shared threat-intel feeds.

Related case

We have an active appeal on uploader.irys.xyz (case PD-20260210-ED4ECE), where the abuse was a third-party-uploaded Phantom wallet drainer ("Kumbaya" page) through our permissionless storage gateway. That content has been offline since March 15, 2026, re-verified offline on June 10, 2026. The legitimate uploader.irys.xyz/ root continues to return the expected Irys SDK wallet-address JSON.

About Irys

Layer-1 data infrastructure for AI and blockchain developers. Project formerly known as Bundlr Network.

Verification (please load these directly)

What we are asking

  1. Re-evaluation of REF 6E04C64E
  2. Correction of the "Taken Down" status (the domain is verifiably operational)
  3. Removal of irys.xyz from the DestroyList based on the legitimacy signals your own classifier identified
  4. Coordination with the related uploader.irys.xyz case PD-20260210-ED4ECE

Happy to provide WHOIS records, corporate registration, or a video call with engineering on request.

Contact: security@irys.xyz
Site owner: Gustavo Lobo, CMO, Irys

Contact email (optional)

security@irys.xyz

Duplicate check

  • This is not a duplicate request

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions