# PhishDestroy threat dossier — bluefln.app ================================================================ Fetched: 2026-05-26 18:07:05 UTC Canonical: https://phishdestroy.io/domain/bluefln.app/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 2/91 security vendors flagged this domain Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.67.149.119 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED !!! REGISTRAR INTEGRITY ALERT — NiceNIC !!! NiceNIC International: over 90% of its registered domains are associated with illegal content; documented systematic abuse-report non-response. Primary sources: https://phishdestroy.io/nicenic-real https://phishdestroy.io/nicenic-verdict Nameservers: keyla.ns.cloudflare.com, nash.ns.cloudflare.com Registered: 2026-05-23 Expires: 2027-05-23 Page title: Bluefin HTTP response: 403 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E7 Expires: 2026-08-21 Status: INVALID chain Fingerprint: 8a9239f26d2ff720fe8b75708e541b3c1a8ce6d807f464763e67459e7425ba8e ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-23 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-23 16:20:10 UTC (by PhishDestroy tracker) First reported: 2026-05-23 13:20:22 UTC (abuse notice filed) Last verified: 2026-05-26 17:20:26 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e54fc-68f1-70aa-b054-4865cfb1acd6/ URLQuery: https://urlquery.net/report/f7674525-1954-41ad-80c3-95eae165a5cb Wayback Machine: https://web.archive.org/web/*/bluefln.app crt.sh CT logs: https://crt.sh/?q=%25.bluefln.app Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=bluefln.app AlienVault OTX: https://otx.alienvault.com/indicator/domain/bluefln.app URLhaus: https://urlhaus.abuse.ch/host/bluefln.app/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-23 16:20:55 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies bluefln.app as a brand impersonation scam currently under investigation, exhibiting high-risk characteristics despite low initial detection scores. This domain is designed to deceive users into believing it represents a legitimate service or company, leveraging impersonation tactics to steal credentials or deliver malware. Active since its registration on May 23, 2026, the domain resolves to IP 172.67.149.119 and operates under a Let’s Encrypt SSL certificate—a common tactic used to evade browser security warnings. With 0 out of 95 VirusTotal detections at the time of analysis, the domain remains undetected by mainstream antivirus engines, highlighting the need for heightened vigilance despite its current classification as 'under investigation'. This domain was flagged as a generic phishing threat by PhishDestroy’s internal pipeline, with technical indicators including its registration through NICENIC INTERNATIONAL GROUP CO., LIMITED, a registrar known for hosting high volumes of short-lived domains. The domain’s creation date is recent (May 23, 2026), and its association with IP 172.67.149.119—an address linked to other low-reputation activities—further elevates its risk profile. While VirusTotal does not yet flag the domain, its inclusion in PhishDestroy’s under-investigation category suggests active monitoring and potential escalation if corroborating evidence emerges. The use of a Let’s Encrypt SSL certificate, though legitimate on the surface, is often abused by threat actors to lend false credibility to fraudulent sites. No blocklist inclusion data is available at this time, but the complete lack of detections underscores the importance of proactive threat hunting rather than reliance on reactive tools. Mitigation for users exposed to bluefln.app is straightforward but critical: cease all interactions, avoid entering credentials or downloading files, and report the domain to PhishDestroy or relevant authorities (e.g., Google Safe Browsing, your ISP’s abuse team). Given the domain’s generic name and recent creation, users should treat all communications referencing bluefln.app as potential scams, even if unsolicited. Organizations are advised to deploy DNS filtering rules to block access to the domain and its associated IP, while educating employees on the risks of brand impersonation scams. For individuals uncertain about a website’s legitimacy, manual verification via official channels (e.g., company websites with HTTPS initiated by the user) is strongly recommended. PhishDestroy’s seed identifier 1c9539 should be referenced when submitting reports to ensure traceability in ongoing investigations. [Updates since narrative was generated:] - Public blocklists: now listed on 3 feeds ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260523-6B2ED7 TLS cert SHA-256: 8a9239f26d2ff720fe8b75708e541b3c1a8ce6d807f464763e67459e7425ba8e ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/bluefln.app/ JSON API: https://api.destroy.tools/v1/check?domain=bluefln.app Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 153,839 domains (29,180 alive under monitoring, 122,657 confirmed takedowns/dead). Site: https://phishdestroy.io