# PhishDestroy threat dossier — app.rackswin.com ================================================================ Fetched: 2026-06-26 23:16:51 UTC Canonical: https://phishdestroy.io/domain/app.rackswin.com/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Phishing kit: Gambler Scam Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 2/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 17/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, Chong Lua Dao, CRDF, CyRadar, ESET, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, Lionic, Netcraft, SOCRadar, Sophos, VIPRE URLQuery: 3 detections Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.67.165.220 (RO, Bucharest) ASN: ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US Hosting org: AS399629 BL Networks Registrar: Fewmoretaps OU d/b/a Trustname.com !!! REGISTRAR INTEGRITY ALERT — Trustname / Fewmoretaps OU !!! Trustname (IANA #4318) is a shell company declaring EUR 120 annual revenue, 1 employee, negative equity, Belarusian ownership. Explicitly advertises itself as 'bulletproof' in its DNS TXT records. Primary source: https://phishdestroy.io/trustname-bulletproof-exposed Nameservers: albert.ns.cloudflare.com, irena.ns.cloudflare.com Registered: 2026-04-29 Expires: 2027-04-29 Page title: Rackswin: Most Popular Online Crypto Casino Based on Blockchain ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: none Status: INVALID chain ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-29 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-24 14:09:13 UTC (by PhishDestroy tracker) First reported: 2026-06-24 12:15:02 UTC (abuse notice filed) Last verified: 2026-06-27 01:15:34 UTC Neutralised: 2026-06-24 18:19:01 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019ef987-0313-7293-bac3-fd9842e76e0a/ URLQuery: https://urlquery.net/report/1125f775-4537-45c9-b631-b8a9f40e4a41 Wayback Machine: https://web.archive.org/web/*/app.rackswin.com crt.sh CT logs: https://crt.sh/?q=%25.app.rackswin.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=app.rackswin.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/app.rackswin.com URLhaus: https://urlhaus.abuse.ch/host/app.rackswin.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-25 19:23:05 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] Analysis indicates that app.rackswin.com was associated with a brand impersonation operation targeting the crypto casino and online gambling sector. The observed page title, "Rackswin: Most Popular Online Crypto Casino Based on Blockchain," suggests an attempt to present itself as a legitimate gambling-related platform and potentially leverage brand recognition to attract users. Such impersonation campaigns are commonly used to redirect victims, collect account credentials, solicit deposits, or facilitate other forms of user deception. The domain has since been taken offline, reducing immediate exposure but not eliminating residual risk associated with prior activity. Infrastructure analysis reveals several notable indicators. The domain was created on April 29, 2026 and registered through Fewmoretaps OU d/b/a Trustname.com. DNS resolution records associated the domain with IP address 172.67.165.220. The domain utilized a Let's Encrypt SSL certificate at the time of observation. Security telemetry shows that 17 out of 95 security vendors flagged the domain, indicating a significant level of detection across threat intelligence sources. The domain appeared on 1 security blocklist and was blocked by PhishDestroy. The identified threat category is brand impersonation, specifically targeting a crypto casino and gambling brand. Current observations indicate the site is no longer accessible and its operational status is offline. Although the infrastructure has been taken offline, defensive measures remain warranted. Organizations should review historical network, DNS, proxy, and authentication logs for connections to app.rackswin.com and investigate any user interaction that occurred before the takedown. Any credentials, wallet identifiers, account information, or financial details submitted through the site should be considered potentially exposed and subjected to remediation procedures. Security teams should maintain detection signatures for the domain, associated IP address 172.67.165.220, and related indicators to identify possible re-emergence through alternative domains or infrastructure. Continued monitoring is recommended because impersonation campaigns frequently migrate to newly registered domains after disruption, preserving residual risk despite the current offline status. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260624-465E10 Favicon MD5: 50679c0c5e3ed56d05c1d0ed312419a7 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/app.rackswin.com/ JSON API: https://api.destroy.tools/v1/check?domain=app.rackswin.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 170,646 domains (12,255 alive under monitoring, 158,002 confirmed takedowns/dead). Site: https://phishdestroy.io