# PhishDestroy threat dossier — b41b.top ================================================================ Fetched: 2026-07-01 05:56:10 UTC Canonical: https://phishdestroy.io/domain/b41b.top/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 71/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 15/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, CRDF, Emsisoft, Fortinet, LevelBlue, Netcraft, OpenPhish, Sophos, Webroot URLQuery: 2 detections Public blocklists: listed on 2 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 154.39.104.136 (HK, Chai Wan) ASN: AS18186 Nebula Global LLC Hosting org: StarCloudGlobal-HK Registrar: NameMart Pte. Ltd. Nameservers: ns1.1111343.com, ns1.dnsbm.com, ns2.1111343.com, ns2.dnsbm.com, ns3.1111343.com, ns4.1111343.com Registered: 2026-06-22 Expires: 2027-06-22 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR2 Expires: 2026-09-22 Status: INVALID chain Fingerprint: 9d7cf2633f3d07ff9a975e56d4268afc5db072a24c973a9cd7aeb97e5f344ab6 Subject Alternative Names (related infrastructure — often same operator): - b40x.top - b40y.top - b40z.top - b41c.top - f36v.top - f36w.top - f36x.top - f36y.top - f37a.top - k76t.top - k76u.top - k76v.top - k76w.top - k76x.top - www.b40x.top ... +14 more ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-22 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-01 02:28:54 UTC (by PhishDestroy tracker) First reported: 2026-07-01 00:39:36 UTC (abuse notice filed) Last verified: 2026-07-01 07:45:48 UTC Neutralised: 2026-07-01 03:03:12 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f1b12-537f-75df-9bad-1c459c89a37d/ URLQuery: https://urlquery.net/report/63d624d5-bbfe-4c8a-849e-7c54eb2bd1c5 Wayback Machine: https://web.archive.org/web/*/b41b.top crt.sh CT logs: https://crt.sh/?q=%25.b41b.top Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=b41b.top AlienVault OTX: https://otx.alienvault.com/indicator/domain/b41b.top URLhaus: https://urlhaus.abuse.ch/host/b41b.top/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-01 02:35:41 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The risk level associated with domain b41b.top is categorized as high, with the specific threat type identified as generic phishing. This classification indicates a heightened potential for users to be deceived into providing sensitive information under false pretenses, typically through deceptive emails or websites designed to imitate legitimate entities. Analysis of this domain reveals critical data points: it was created on June 22, 2026, and is currently registered through NameMart Pte. Ltd. The domain resolves to the IP address 154.39.104.136, which is noted for its association with malicious activity. Furthermore, the domain is flagged by 9 out of 95 security vendors on VirusTotal, indicating recognition of its threats across industry platforms. It is noteworthy that while the domain holds an SSL certificate issued by Let's Encrypt, this does not mitigate the risks, as attackers often use SSL certificates to add an air of legitimacy to their fraudulent operations. To mitigate risks associated with generic phishing threats like b41b.top, organizations and individuals should implement stringent email filtering to detect and block communications originating from this domain. Continuous monitoring of incoming messages and user education regarding the identification of phishing attempts are critical. Phishing simulations and mandatory training sessions can further enhance awareness. In addition, utilizing threat intelligence feeds to stay updated on malicious domains and maintaining a proactive security posture will significantly reduce the likelihood of successful phishing attacks targeting users. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260701-0A0B08 TLS cert SHA-256: 9d7cf2633f3d07ff9a975e56d4268afc5db072a24c973a9cd7aeb97e5f344ab6 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/b41b.top/ JSON API: https://api.destroy.tools/v1/check?domain=b41b.top Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 173,369 domains (13,208 alive under monitoring, 159,487 confirmed takedowns/dead). Site: https://phishdestroy.io