# PhishDestroy threat dossier — blekfilogan.webflow.io ================================================================ Fetched: 2026-07-02 18:20:47 UTC Canonical: https://phishdestroy.io/domain/blekfilogan.webflow.io/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Credential Phishing ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 18/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, BitDefender, Chong Lua Dao, CyRadar, ESET, Emsisoft, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, LevelBlue, Lionic, Netcraft, OpenPhish, Sophos, VIPRE, Webroot Public blocklists: listed on 2 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.64.151.8 (US, San Francisco) Hosting org: AS13335 Cloudflare, Inc. Registrar: Webflow Nameservers: NS_NOT_FOUND Page title: BlóckFi @Login: Access Your Account Securely HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-08-25 Status: INVALID chain Fingerprint: 0dc0be3d837e60b4433d84c67385bdc354bb83307d80c71fb67d87f1beec53c6 Subject Alternative Names (related infrastructure — often same operator): - webflow.io ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-07-02 15:20:00 UTC (by PhishDestroy tracker) Last verified: 2026-07-02 18:50:09 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f22fa-d918-755d-8467-d09306e60864/ Wayback Machine: https://web.archive.org/web/*/blekfilogan.webflow.io crt.sh CT logs: https://crt.sh/?q=%25.blekfilogan.webflow.io Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=blekfilogan.webflow.io AlienVault OTX: https://otx.alienvault.com/indicator/domain/blekfilogan.webflow.io URLhaus: https://urlhaus.abuse.ch/host/blekfilogan.webflow.io/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-02 16:15:15 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, blekfilogan.webflow.io, is identified as a high-risk credential phishing site designed to harvest user login credentials. Analysis indicates no direct affiliation with a specific brand, though the infrastructure aligns with generic phishing campaigns often impersonating login portals for email services, financial institutions, or cloud platforms. No explicit drainer kit signatures have been detected in initial scans, but the domain exhibits characteristics consistent with credential harvesting frameworks, including form submission endpoints and SSL encryption for evasion. Technical indicators confirm the domain’s malicious classification. As of the latest scan, 18 out of 95 security vendors on VirusTotal flag blekfilogan.webflow.io as malicious, with detections spanning categories such as phishing, fraud, and suspicious web content. The domain is registered through Webflow, a legitimate platform frequently abused for hosting phishing pages due to its ease of deployment and SSL support. It resolves to the IP address 172.64.151.8, a Cloudflare-assigned address commonly used to mask origin servers. The SSL certificate is issued by Google Trust Services, providing a veneer of legitimacy while obfuscating the malicious payload. No creation date is publicly available for this subdomain, but passive DNS records suggest it was recently activated. Google Safe Browsing (GSB) has not yet listed the domain, and no additional blocklist entries beyond VirusTotal have been confirmed at this time. The domain remains active, serving phishing content as of the latest verification. No takedown actions have been observed, and the infrastructure continues to resolve to the same IP address. Users are advised to block access to blekfilogan.webflow.io at the network level and monitor for credential exposure if interaction has occurred. Organizations should update endpoint protection rules to include this domain and its associated IP, while individuals should verify the legitimacy of any login prompts originating from this URL. Given the high detection rate and active status, this domain poses a significant risk for credential theft and should be treated as a priority threat in incident response protocols. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 58271b7c1eb1374553251864f6e327aa TLS cert SHA-256: 0dc0be3d837e60b4433d84c67385bdc354bb83307d80c71fb67d87f1beec53c6 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/blekfilogan.webflow.io/ JSON API: https://api.destroy.tools/v1/check?domain=blekfilogan.webflow.io Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 173,924 domains (14,620 alive under monitoring, 158,575 confirmed takedowns/dead). Site: https://phishdestroy.io