# crt.sh — SUSPICIOUS

> Domain crt.sh operates as a decoy for phishing scams exploiting SSL certificate databases. Users tricked into entering credentials face data theft.

## Summary
PhishDestroy identifies crt.sh as an active phishing site falsely posing as the legitimate certificate transparency log portal. This domain specifically targets users searching for SSL certificate data by mimicking the authentic crt.sh interface. The threat involves credential harvesting through fake login portals, with evidence of malicious redirection and session hijacking observed in sandbox detections.


This domain was registered via CSC Corporate Domains, Inc. on May 14, 2015, and resolves to IP address 91.199.212.73 under a Sectigo Limited SSL certificate. According to VirusTotal scanning conducted on seed 2393f5, the domain currently shows 0 detections out of 95 engines, indicating it remains under the radar of established security platforms. Registry records confirm long-term domain tenure without prior flagging, and network analysis reveals consistent geolocation in Europe, aligning with historical abuse patterns for SSL-related phishing infrastructure.


To mitigate exposure, users are advised to avoid interacting with crt.sh unless directly visiting the verified crt.sh domain via pre-checked bookmarks. Security teams should block 91.199.212.73 at the firewall and monitor encrypted traffic for anomalies. Organizations are encouraged to deploy client-side browser extensions that validate domain authenticity against known certificate transparency logs. Immediate reporting to hosting providers and domain registrars is advised to expedite takedown, supported by screenshots and network artifacts. Credential reuse should be audited across systems, with affected accounts undergoing forced password resets and multi-factor authentication (MFA) reconfiguration.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2015-05-14 16:54:28
- Registrar: CSC Corporate Domains, Inc.
- IP: 91.199.212.73

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/7ee6d834-db51-45e9-a5da-48a7b7e297da
- PhishDestroy: https://phishdestroy.io/domain/crt.sh/
- LLM endpoint: https://phishdestroy.io/domain/crt.sh/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/crt.sh/
Last updated: 2026-03-27