# PhishDestroy threat dossier — cityroyalbks.com ================================================================ Fetched: 2026-07-02 09:39:15 UTC Canonical: https://phishdestroy.io/domain/cityroyalbks.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 85/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 18/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, Chong Lua Dao, CRDF, CyRadar, ESET, Fortinet, G-Data, Lionic, Netcraft, Sophos URLQuery: 2 detections AlienVault OTX: 2 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 51.91.219.191 (FR, Lille) ASN: ASAS16276 OVH OVH SAS, FR Hosting org: AS16276 OVH SAS Registrar: TuringSign Inc. d/b/a Cosmotown Nameservers: ns1.sternhost.net, ns2.sternhost.net Registered: 2024-09-02 Expires: 2026-09-02 Page title: City-Royal-Bank - Dedicated to innovating, simplifying, and humanizing digital banking. ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R13 Expires: 2026-07-30 Status: INVALID chain Fingerprint: ef5933aef2253a90fe914ac0dd45c89df1c1a4d4dbf8724edeb0776d83530b5e ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2024-09-02 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-01 04:16:57 UTC (by PhishDestroy tracker) First reported: 2026-07-01 02:42:35 UTC (abuse notice filed) Last verified: 2026-07-02 11:16:36 UTC Neutralised: 2026-07-01 12:02:52 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f1b76-4d9e-73bf-811c-42069bba5849/ URLQuery: https://urlquery.net/report/25bd77b9-7351-48fc-ae63-0ea53f4aea00 Wayback Machine: https://web.archive.org/web/*/cityroyalbks.com crt.sh CT logs: https://crt.sh/?q=%25.cityroyalbks.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=cityroyalbks.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/cityroyalbks.com URLhaus: https://urlhaus.abuse.ch/host/cityroyalbks.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-01 04:24:46 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The domain cityroyalbks.com poses a high-risk threat through brand impersonation, masquerading as a legitimate banking entity. Its active status, combined with specific indicators of malicious activity, elevates the risk level. Users interacting with this domain are at significant risk of falling victim to phishing attacks, potentially leading to unauthorized access to sensitive personal and financial information. Technical analysis of cityroyalbks.com reveals multiple concerning factors. The domain was created on September 02, 2024, and is registered through TuringSign Inc. d/b/a Cosmotown. The domain uses a Let's Encrypt SSL certificate and resolves to IP address 51.91.219.191. Notably, it is flagged by 12 out of 95 vendors on VirusTotal, indicating widespread recognition of its threat potential. Furthermore, it has been blocked by PhishDestroy and appears on at least one security blocklist, underscoring its malicious nature and supporting evidence of its illegitimacy. Given the high-risk status of this domain, immediate mitigation steps are essential. Users should avoid interacting with cityroyalbks.com and report any suspicious emails or links directing them to this domain. Security teams should incorporate this domain into their blocklists to prevent access from their networks. Organizations should also educate employees about the signs of phishing and brand impersonation to reduce the risk of falling victim to such threats. Regular updates to security software and browser extensions can provide an additional layer of protection against these types of cyber threats. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260701-6AC6DC Favicon MD5: b8a0bf372c762e966cc99ede8682bc71 TLS cert SHA-256: ef5933aef2253a90fe914ac0dd45c89df1c1a4d4dbf8724edeb0776d83530b5e ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/cityroyalbks.com/ JSON API: https://api.destroy.tools/v1/check?domain=cityroyalbks.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 173,583 domains (14,589 alive under monitoring, 158,288 confirmed takedowns/dead). Site: https://phishdestroy.io