# PhishDestroy threat dossier — 17204.xyz ================================================================ Fetched: 2026-07-04 17:27:23 UTC Canonical: https://phishdestroy.io/domain/17204.xyz/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 70/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 18/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, BitDefender, Chong Lua Dao, CRDF, CyRadar, ESET, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, LevelBlue, Lionic, OpenPhish, Seclookup, SOCRadar, Sophos, Webroot URLQuery: 5 detections AlienVault OTX: 1 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 103.27.177.163 (HK, Mong Kok) ASN: AS135357 HONG KONG KOWLOON TELECOMMUNICATIONS CO.,LIMITED Hosting org: HONG KONG KOWLOON TELECOMMUNICATIONS CO., LIMITED Registrar: GMO Internet, Inc. Nameservers: a.share-dns.com, a10.share-dns.com, b.share-dns.net, b10.share-dns.net Registered: 2026-06-04 Expires: 2027-06-04 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR1 Expires: 2026-09-12 Status: INVALID chain Fingerprint: 16424677463c7f2f4534c270f95f0dcb8f1d6b589fc928c3183d40712a2c85e1 Subject Alternative Names (related infrastructure — often same operator): - 17098.xyz - 17100.xyz - 17104.xyz - 17107.xyz - 17109.xyz - 17112.xyz - 17116.xyz - 17120.xyz - 17183.xyz - 17185.xyz - 17188.xyz - 17191.xyz - 17194.xyz - 17196.xyz - 17198.xyz ... +34 more ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-04 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-04 12:41:44 UTC (by PhishDestroy tracker) First reported: 2026-07-04 10:47:35 UTC (abuse notice filed) Last verified: 2026-07-04 18:20:16 UTC Neutralised: 2026-07-04 18:17:26 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f2cb7-2034-76db-b4ea-795da0af782c/ URLQuery: https://urlquery.net/report/2bc5a568-f591-480c-aeda-5a13c9d6f4b5 Wayback Machine: https://web.archive.org/web/*/17204.xyz crt.sh CT logs: https://crt.sh/?q=%25.17204.xyz Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=17204.xyz AlienVault OTX: https://otx.alienvault.com/indicator/domain/17204.xyz URLhaus: https://urlhaus.abuse.ch/host/17204.xyz/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-04 12:45:54 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, 17204.xyz, is actively serving a fake login portal designed to harvest user credentials. Analysis indicates the infrastructure is configured to mimic legitimate authentication pages, likely targeting corporate or financial service users. The domain employs social engineering tactics, such as cloned branding and urgent login prompts, to deceive victims into submitting sensitive information. Given the high-risk classification, this campaign poses a significant threat to both individual and organizational security, with potential for credential theft leading to unauthorized account access or secondary attacks. Infrastructure analysis reveals the following technical indicators: the domain was registered on June 04, 2026, through GMO Internet, Inc., a registrar frequently associated with malicious activity. It resolves to the IP address 103.27.177.163 and uses a Let's Encrypt SSL certificate to create a false sense of security. As of the latest assessment, 17 out of 95 security vendors on VirusTotal have flagged 17204.xyz as malicious, with detection labels including "phishing," "fraudulent site," and "credential harvester." The domain remains active and unblocked by many enterprise security solutions, increasing its potential reach. Users who have visited 17204.xyz or entered credentials on the site should immediately take corrective action. First, revoke any sessions associated with the compromised account and change passwords using a trusted device. Enable multi-factor authentication (MFA) if not already active, and monitor the account for suspicious activity, such as unauthorized logins or transactions. If corporate credentials were exposed, notify the organization’s security team to initiate an incident response. Additionally, scan the device used to access the site for malware, as phishing pages may deploy secondary payloads. Block the domain and its associated IP (103.27.177.163) at the network level to prevent further exposure. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260704-DED1CA Favicon MD5: b8a0bf372c762e966cc99ede8682bc71 TLS cert SHA-256: 16424677463c7f2f4534c270f95f0dcb8f1d6b589fc928c3183d40712a2c85e1 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/17204.xyz/ JSON API: https://api.destroy.tools/v1/check?domain=17204.xyz Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,666 domains (12,655 alive under monitoring, 161,167 confirmed takedowns/dead). Site: https://phishdestroy.io