# PhishDestroy threat dossier — 2026-kralbet-guncelgirisi.com ================================================================ Fetched: 2026-07-14 04:31:06 UTC Canonical: https://phishdestroy.io/domain/2026-kralbet-guncelgirisi.com/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 83/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/91 security vendors flagged this domain URLQuery: 2 detections Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 185.66.142.98 (BE, Brussels) ASN: AS200514 KnownSRV Ltd. Hosting org: Known Holdings LTD Registrar: Gname.com Pte. Ltd. Nameservers: a.share-dns.com, a3.share-dns.com, b.share-dns.net, b3.share-dns.net Registered: 2026-03-10 Expires: 2027-03-10 Page title: Bakımdayız — Yakında HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR1 Expires: 2026-09-29 Status: INVALID chain Fingerprint: 2976d90de71b8502bd57ba98ee82742f28c69377da57b1de6aac2fffa915f46b Subject Alternative Names (related infrastructure — often same operator): - kralbetgirisix.co - tr.kralbetgirisix.co - www.kralbetgirisix.co ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-03-10 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-12 17:38:48 UTC (by PhishDestroy tracker) First reported: 2026-07-12 16:55:03 UTC (abuse notice filed) Last verified: 2026-07-14 04:20:38 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f56fa-ca8a-73a3-897c-557d93a71453/ URLQuery: https://urlquery.net/report/29e41f72-a63b-47b5-82cf-db96315e5e98 Wayback Machine: https://web.archive.org/web/*/2026-kralbet-guncelgirisi.com crt.sh CT logs: https://crt.sh/?q=%25.2026-kralbet-guncelgirisi.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=2026-kralbet-guncelgirisi.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/2026-kralbet-guncelgirisi.com URLhaus: https://urlhaus.abuse.ch/host/2026-kralbet-guncelgirisi.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-13 00:15:21 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, 2026-kralbet-guncelgirisi.com, is currently under investigation for phishing activity targeting users of online betting platforms. Registered on March 10, 2026, through Gname.com Pte. Ltd., the domain resolves to the IP address 185.66.142.98, located in Belgium and associated with Known Holdings LTD. Infrastructure analysis reveals the use of shared DNS servers (a.share-dns.com, a3.share-dns.com, b.share-dns.net, b3.share-dns.net), a common tactic among phishing domains to obscure ownership and evade takedowns. The SSL certificate is issued by Let's Encrypt (YR1), which, while legitimate, is frequently exploited by threat actors due to its low-cost and automated issuance process. The page title, 'Bakımdayız — Yakında' (translating to 'Under Maintenance — Coming Soon'), is a known evasion technique to avoid immediate detection while the domain remains operational. The HTTP status returns a 200 code, indicating an active server response, though the exact content of the page has not been analyzed. The domain appears on one security blocklist and is flagged by PhishDestroy, though no detections are currently recorded by the 91 vendors that have scanned it on VirusTotal. This absence of detections does not confirm the domain's safety but may reflect delayed or incomplete scanning coverage. Defenders should treat this domain as high-risk due to its infrastructure, registration patterns, and association with known phishing indicators. The use of shared DNS, a recently registered domain, and a generic maintenance page suggests an attempt to impersonate a legitimate betting portal, though the specific brand being mimicked is not confirmed in the available data. Network-level blocking of the IP 185.66.142.98 and monitoring of associated DNS servers is recommended until further analysis confirms the domain's intent or takedown occurs. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260712-B16CBD TLS cert SHA-256: 2976d90de71b8502bd57ba98ee82742f28c69377da57b1de6aac2fffa915f46b ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/2026-kralbet-guncelgirisi.com/ JSON API: https://api.destroy.tools/v1/check?domain=2026-kralbet-guncelgirisi.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,334 domains (50,011 alive under monitoring, 128,323 confirmed takedowns/dead). Site: https://phishdestroy.io