# PhishDestroy threat dossier — acl-freightflow.top ================================================================ Fetched: 2026-07-12 18:32:44 UTC Canonical: https://phishdestroy.io/domain/acl-freightflow.top/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 81/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/95 security vendors flagged this domain AlienVault OTX: 2 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 185.66.143.35 (NL, Amsterdam) ASN: AS200514 KnownSRV Ltd. Hosting org: KnownSRV Ltd Registrar: Cosmotown Nameservers: ns19.knownsrv.com, ns20.knownsrv.com Registered: 2026-05-23 Expires: 2027-05-23 Page title: Acl-freightflow Welcome to Acl-freightflow Courier ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR2 Expires: 2026-09-19 Status: INVALID chain Fingerprint: 88632ae3e0eef4cc513b9fa07edc8ff3eb41ce3edfc164db82b8049470ff897b Subject Alternative Names (related infrastructure — often same operator): - acl-freightflow.top.fastlinegroupplc.com - www.acl-freightflow.top.fastlinegroupplc.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-23 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-12 16:21:30 UTC (by PhishDestroy tracker) First reported: 2026-07-12 17:07:54 UTC (abuse notice filed) Last verified: 2026-07-12 20:30:14 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f56b4-0232-7148-a8e8-ac2964e3efd6/ URLQuery: https://urlquery.net/report/7a7a39e8-7cee-41f7-9f97-9f5215f1dd2e Wayback Machine: https://web.archive.org/web/*/acl-freightflow.top crt.sh CT logs: https://crt.sh/?q=%25.acl-freightflow.top Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=acl-freightflow.top AlienVault OTX: https://otx.alienvault.com/indicator/domain/acl-freightflow.top URLhaus: https://urlhaus.abuse.ch/host/acl-freightflow.top/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-12 16:51:53 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, acl-freightflow.top, is under investigation for credential phishing targeting logistics and freight sectors. Registered on May 23, 2026, through Cosmotown, the domain currently resolves to the IP address 185.66.143.35. While passive DNS and infrastructure analysis reveal no immediate redirection chains or known malicious subdomains, the domain has been flagged in two threat intelligence pulses on AlienVault OTX, suggesting prior association with phishing campaigns. The SSL certificate issued by Let's Encrypt is standard for both legitimate and malicious sites, offering no conclusive evidence of intent. Analysis indicates the domain name mimics legitimate freight and logistics services, a common tactic in credential harvesting schemes. The lack of detections on VirusTotal (0/95) does not confirm safety, as phishing domains often evade initial detection during the early stages of deployment. The domain remains active, and its infrastructure warrants further monitoring for signs of malicious activity, such as newly created subdomains or changes in hosting patterns. Defenders should prioritize monitoring for connections to this domain from internal networks, particularly in logistics or supply chain environments. Network-level blocking or alerting on DNS requests to acl-freightflow.top is recommended until further analysis confirms its legitimacy or malicious intent. If additional indicators emerge, such as phishing kits or confirmed victim reports, the risk assessment should be updated accordingly. At this stage, no definitive attribution to a specific threat actor or campaign has been established. [Updates since narrative was generated:] - VirusTotal detections: now 1/95 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260712-C9009B Favicon MD5: c0c4918f51ab99a2f883ea7c0954d411 TLS cert SHA-256: 88632ae3e0eef4cc513b9fa07edc8ff3eb41ce3edfc164db82b8049470ff897b ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/acl-freightflow.top/ JSON API: https://api.destroy.tools/v1/check?domain=acl-freightflow.top Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 177,874 domains (49,621 alive under monitoring, 128,253 confirmed takedowns/dead). Site: https://phishdestroy.io