# PhishDestroy threat dossier — coral-bets.com ================================================================ Fetched: 2026-07-10 17:08:51 UTC Canonical: https://phishdestroy.io/domain/coral-bets.com/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Gambling Phishing kit: Gambler Scam Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 5/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 4/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, Forcepoint ThreatSeeker, Fortinet, Gridinsoft Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 209.74.82.247 (SG, Singapore) ASN: ASAS22612 NAMECHEAP-NET - Namecheap, Inc., US Hosting org: AS22612 Namecheap, Inc. Registrar: Hosting Concepts B.V. d/b/a Registrar.eu Nameservers: a.dnspod.com, b.dnspod.com, c.dnspod.com Registered: 2026-06-13 Expires: 2027-06-13 Page title: Coral — Official Casino & Sports Betting HTTP response: 302 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR1 Expires: 2026-09-18 Status: INVALID chain Fingerprint: 9093d574e7100533a7a16e20a17074edfb81c09b3079ed0d43344d996440b13f ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-13 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-06 14:22:39 UTC (by PhishDestroy tracker) Last verified: 2026-07-10 17:40:03 UTC Neutralised: 2026-07-09 12:38:57 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f3760-b93e-7345-9143-2eefd868a495/ Wayback Machine: https://web.archive.org/web/*/coral-bets.com crt.sh CT logs: https://crt.sh/?q=%25.coral-bets.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=coral-bets.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/coral-bets.com URLhaus: https://urlhaus.abuse.ch/host/coral-bets.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-06 14:25:51 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, coral-bets.com, is identified as an active phishing infrastructure specifically targeting users of Coral, a well-known betting and gambling service. Analysis confirms the domain is designed to impersonate official Coral resources, likely to harvest user credentials, payment details, or other sensitive information under false pretenses. The threat type is classified as generic phishing with a focus on brand impersonation, and the domain remains operational as of the latest verification. Infrastructure analysis reveals the following technical indicators: the domain resolves to the IP address 209.74.82.247 and was registered on June 13, 2026, through Hosting Concepts B.V. d/b/a Registrar.eu. The SSL certificate is issued by Let's Encrypt, a common choice for both legitimate and malicious sites. On VirusTotal, the domain is flagged by 1 of 95 security vendors, indicating limited but present detection. The page title, 'Coral — Official Resource,' reinforces the impersonation attempt, while the creation date suggests the domain may have been pre-registered for malicious use or repurposed from a dormant state. The current risk level is assessed as elevated due to the domain's active status and direct targeting of a recognized brand. Users and organizations are advised to block access to 209.74.82.247 and coral-bets.com at the network level. Security teams should monitor for connections to this IP or domain in logs, particularly from endpoints associated with financial or personal data access. If credentials were entered on this site, immediate password resets and multi-factor authentication enforcement are recommended. Domain registrars and hosting providers should be notified of the abuse to facilitate takedown procedures. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: e7398094c602d356ce1118f895088b0a TLS cert SHA-256: 9093d574e7100533a7a16e20a17074edfb81c09b3079ed0d43344d996440b13f ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/coral-bets.com/ JSON API: https://api.destroy.tools/v1/check?domain=coral-bets.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 177,110 domains (46,160 alive under monitoring, 130,950 confirmed takedowns/dead). Site: https://phishdestroy.io