# PhishDestroy threat dossier — bluefintuna.life
================================================================

Fetched:   2026-04-23 15:05:51 UTC
Canonical: https://phishdestroy.io/domain/bluefintuna.life/

## VERDICT
----------------------------------------------------------------
HIGH THREAT — malicious activity confirmed
Composite threat score: 75/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      2/94 security vendors flagged this domain
URLQuery:        2 detections

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      185.199.109.153 (US, San Francisco)
ASN:             AS54113 Fastly, Inc.
Hosting org:     GitHub, Inc
Registrar:       Dynadot Inc
Nameservers:     ns1.dyna-ns.net, ns2.dyna-ns.net
Registered:      2026-02-25
Expires:         2027-02-25
Page title:      Bluefin Tuna LLC | Official Company Website
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / R13
Expires:    2026-06-28
Status:     INVALID chain
Fingerprint: 87d4d3731881a556a4e7f7d023cf3e20eb27137fd58de58366a002a33d82701e
Subject Alternative Names (related infrastructure — often same operator):
  - www.bluefintuna.life

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-02-25 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-15 00:02:01 UTC (by PhishDestroy tracker)
First reported:    2026-04-14 21:03:39 UTC (abuse notice filed)
Last verified:     2026-04-23 07:40:26 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019d8dcb-c242-75de-aab7-5504d8c9cdc6/
URLQuery:         https://urlquery.net/report/139b4c68-efbb-44b4-8b0f-5ff37e7c8608
Wayback Machine:  https://web.archive.org/web/*/bluefintuna.life
crt.sh CT logs:   https://crt.sh/?q=%25.bluefintuna.life
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=bluefintuna.life
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/bluefintuna.life
URLhaus:          https://urlhaus.abuse.ch/host/bluefintuna.life/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-15 00:02:20 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy has flagged bluefintuna.life as an active generic phishing domain under investigation, posing a credible threat to users through brand impersonation tactics. This domain is currently unflagged by most detection engines, with 0 out of 95 VirusTotal scans identifying it as malicious. Registered through Dynadot Inc on February 25, 2026, it resolves to IP 185.199.109.153 and utilizes a Let's Encrypt SSL certificate, leveraging trust signals to appear legitimate. As of now, no public blocklists or trust score platforms have flagged this domain, leaving users vulnerable to credential theft or malware delivery through deceptive interfaces.  The domain's recent creation date and lack of detection history suggest it is either newly operational or carefully crafted to evade initial scrutiny. The absence of detections on VirusTotal, despite active resolution, indicates a potential blind spot in threat intelligence feeds. The use of a legitimate-looking SSL certificate further lowers user suspicion, making it a prime candidate for phishing campaigns targeting unsuspecting visitors. While the specific brand being impersonated remains unverified, the domain’s structure and recent activity align with tactics used in generic phishing schemes designed to harvest sensitive information.  Users should avoid interacting with bluefintuna.life and report the domain to their IT security teams or via PhishDestroy’s threat submission portal. Organizations are advised to update firewall rules to block IP 185.199.109.153 and monitor DNS logs for resolution attempts. Given the domain’s low detection rate, proactive threat hunting and user awareness training are critical to mitigating potential breaches. Always verify domains through official channels and avoid entering credentials on unfamiliar sites.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260414-9C493D
Favicon MD5:       f69861f4cb4b7c570890f7d33c3aad40
TLS cert SHA-256:      87d4d3731881a556a4e7f7d023cf3e20eb27137fd58de58366a002a33d82701e

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/bluefintuna.life/
JSON API:          https://api.destroy.tools/v1/check?domain=bluefintuna.life
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io