# PhishDestroy threat dossier — casinos-quickwin.com ================================================================ Fetched: 2026-06-06 22:57:17 UTC Canonical: https://phishdestroy.io/domain/casinos-quickwin.com/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/91 security vendors flagged this domain Flagging vendors: Gridinsoft URLQuery: 2 detections Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.96.3 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: CloudFlare, Inc. Registrar: Fewmoretaps OU d/b/a Trustname.com !!! REGISTRAR INTEGRITY ALERT — Trustname / Fewmoretaps OU !!! Trustname (IANA #4318) is a shell company declaring EUR 120 annual revenue, 1 employee, negative equity, Belarusian ownership. Explicitly advertises itself as 'bulletproof' in its DNS TXT records. Primary source: https://phishdestroy.io/trustname-bulletproof-exposed Nameservers: ["gordon.ns.cloudflare.com", "luciane.ns.cloudflare.com"] Registered: 2026-04-28 Page title: QuickWin Casino: Jouez en ligne et gagnez de l'argent réel HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E7 Expires: 2026-06-15 Status: INVALID chain Fingerprint: 0ea1dfe28c3c3f54f4df3e2019fbfc3b2a5b979eff4b707d862d0107cc04576d ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-28 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-28 19:13:10 UTC (by PhishDestroy tracker) First reported: 2026-04-28 16:38:28 UTC (abuse notice filed) Last verified: 2026-06-07 00:32:40 UTC Neutralised: 2026-06-06 17:33:51 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dd4db-65ca-70de-a193-a7fd7987d3f9/ URLQuery: https://urlquery.net/report/8851db23-4ba3-402c-a303-a93d5c97a7e1 Wayback Machine: https://web.archive.org/web/*/casinos-quickwin.com crt.sh CT logs: https://crt.sh/?q=%25.casinos-quickwin.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=casinos-quickwin.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/casinos-quickwin.com URLhaus: https://urlhaus.abuse.ch/host/casinos-quickwin.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-28 19:16:11 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy has identified casinos-quickwin.com as a credential theft domain designed to steal login credentials from unsuspecting users. The site masquerades as a legitimate casino platform, luring visitors into entering their usernames and passwords into fraudulent forms. Once harvested, these credentials are likely used for account takeovers, financial fraud, or sold on dark web markets. Users should assume any interaction with this domain may compromise their sensitive data. This domain was flagged by VirusTotal with only 1 out of 95 security vendors detecting the threat at the time of analysis. It was registered through Fewmoretaps OU (d/b/a Trustname.com) on March 17, 2026, and resolves to IP address 188.114.96.3. The domain also holds a Let’s Encrypt SSL certificate, which criminals often exploit to appear legitimate and bypass browser warnings. If you or your organization has visited casinos-quickwin.com, immediately change passwords for any accounts where you reused credentials. Enable multi-factor authentication where available and scan your devices for malware. Report the domain to your IT security team or to PhishDestroy to help block future access. Do not enter any personal or financial information on this site under any circumstances. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260428-FC07EB Favicon MD5: fd89515537caede99f2d9aabf1632c26 TLS cert SHA-256: 0ea1dfe28c3c3f54f4df3e2019fbfc3b2a5b979eff4b707d862d0107cc04576d ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/casinos-quickwin.com/ JSON API: https://api.destroy.tools/v1/check?domain=casinos-quickwin.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 157,278 domains (42,525 alive under monitoring, 113,918 confirmed takedowns/dead). Site: https://phishdestroy.io