# PhishDestroy threat dossier — 18057.xyz ================================================================ Fetched: 2026-07-02 16:43:26 UTC Canonical: https://phishdestroy.io/domain/18057.xyz/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Credential Phishing ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 16/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, BitDefender, CRDF, CyRadar, ESET, Emsisoft, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, Lionic, Netcraft, SOCRadar, Sophos, Webroot Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 103.27.177.163 (HK, Mong Kok) ASN: AS135357 HONG KONG KOWLOON TELECOMMUNICATIONS CO.,LIMITED Hosting org: HONG KONG KOWLOON TELECOMMUNICATIONS CO., LIMITED Registrar: GMO Internet, Inc. Nameservers: a.share-dns.com, a5.share-dns.com, b.share-dns.net, b5.share-dns.net Registered: 2026-06-28 Expires: 2027-06-28 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR1 Expires: 2026-09-29 Status: INVALID chain Fingerprint: 2bd5885a7c3e585acb4998d3d80396b713367f2ec3feb9dd4e83cdb514118bd2 Subject Alternative Names (related infrastructure — often same operator): - 100373.cc - 100379.cc - 100385.cc - 100387.cc - 100389.cc - 100391.cc - 100537.cc - 17969.xyz - 17970.xyz - 17974.xyz - 17975.xyz - 17978.xyz - 17979.xyz - 17980.xyz - 17981.xyz ... +84 more ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-28 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-01 14:20:24 UTC (by PhishDestroy tracker) First reported: 2026-07-01 12:22:52 UTC (abuse notice filed) Last verified: 2026-07-02 16:20:38 UTC Neutralised: 2026-07-02 00:02:34 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f1d9d-ba35-75f9-bc55-064aef2b1e6b/ URLQuery: https://urlquery.net/report/2d138572-441a-47da-9aa0-ca065904ea46 Wayback Machine: https://web.archive.org/web/*/18057.xyz crt.sh CT logs: https://crt.sh/?q=%25.18057.xyz Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=18057.xyz AlienVault OTX: https://otx.alienvault.com/indicator/domain/18057.xyz URLhaus: https://urlhaus.abuse.ch/host/18057.xyz/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-01 14:26:14 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain is currently under investigation for credential theft operations targeting financial service users. Analysis indicates the infrastructure is designed to harvest login credentials through fraudulent login portals, likely mimicking legitimate banking or payment platforms. The domain presents a low immediate detection footprint but maintains operational readiness, suggesting potential for rapid escalation in malicious activity. Infrastructure analysis reveals the domain 18057.xyz was registered on June 28, 2026, through GMO Internet, Inc. and resolves to the IP address 103.27.177.163. The site employs a Let's Encrypt SSL certificate, providing a superficial layer of legitimacy. As of the latest assessment, no security vendors on VirusTotal (0/95) have flagged the domain, and no blocklist providers have identified it as malicious. The absence of detections does not correlate with safety, as the domain remains active and unmonitored by most threat intelligence platforms. Organizations and individuals should implement immediate mitigation measures to counter credential theft risks. Network-level blocking of 103.27.177.163 and 18057.xyz is recommended for enterprise environments. End-users should be educated to verify domain authenticity before entering credentials, particularly on sites requesting financial or personal data. Monitoring for unusual authentication attempts from the associated IP range may help detect compromised accounts. Given the domain's recent registration and lack of prior scrutiny, continuous monitoring for new detections or infrastructure changes is advised. [Updates since narrative was generated:] - Public blocklists: now listed on 1 feed - VirusTotal detections: now 16/91 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260701-8B1EF2 Favicon MD5: b8a0bf372c762e966cc99ede8682bc71 TLS cert SHA-256: 2bd5885a7c3e585acb4998d3d80396b713367f2ec3feb9dd4e83cdb514118bd2 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/18057.xyz/ JSON API: https://api.destroy.tools/v1/check?domain=18057.xyz Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 173,920 domains (14,617 alive under monitoring, 158,575 confirmed takedowns/dead). Site: https://phishdestroy.io