# PhishDestroy threat dossier — defa.digital ================================================================ Fetched: 2026-07-13 22:42:21 UTC Canonical: https://phishdestroy.io/domain/defa.digital/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: redirect_split) (score: 4/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 18/91 security vendors flagged this domain Flagging vendors: Abusix, alphaMountain.ai, BitDefender, Chong Lua Dao, Cluster25, CRDF, CyRadar, ESET, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, LevelBlue, Lionic, MalwareURL, SOCRadar, Sophos, Webroot Public blocklists: listed on 1 independent blocklist Google Safe Browsing: FLAGGED ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 102.220.160.203 (SI, Ljubljana) ASN: ASAS197769 VPSDEDICATED-AS VPS Dedicated LLC, US Hosting org: AS197769 VPS Dedicated LLC Registrar: Sav.com, LLC Nameservers: augustus.ns.cloudflare.com, laura.ns.cloudflare.com Registered: 2026-01-06 Expires: 2027-01-06 Page title: HTTP response: 200 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-01-06 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-09 14:19:19 UTC (by PhishDestroy tracker) Last verified: 2026-07-14 00:20:46 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f46d0-a1b8-73b4-8cd1-414cb24b792e/ Wayback Machine: https://web.archive.org/web/*/defa.digital crt.sh CT logs: https://crt.sh/?q=%25.defa.digital Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=defa.digital AlienVault OTX: https://otx.alienvault.com/indicator/domain/defa.digital URLhaus: https://urlhaus.abuse.ch/host/defa.digital/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-09 14:55:57 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, defa.digital, is identified as a credential theft campaign designed to harvest user login credentials and session tokens through deceptive login portals. Analysis indicates the infrastructure mimics legitimate authentication interfaces, likely targeting users of financial services, email providers, or enterprise single sign-on systems. The site employs social engineering tactics, such as fake security alerts or account verification prompts, to coerce victims into entering sensitive information. Once captured, credentials are exfiltrated to attacker-controlled endpoints for unauthorized access, account takeovers, or further exploitation in downstream attacks. Evidence supporting this assessment includes detection by 13 out of 95 security vendors on VirusTotal, with Google Safe Browsing explicitly flagging the domain under the SOCIAL_ENGINEERING category. The domain was registered on January 6, 2026, through Sav.com, LLC, a registrar frequently observed in transient phishing campaigns. Infrastructure analysis reveals the domain resolves to the IP address 102.220.160.203, hosted on an Apache HTTP Server with a Let's Encrypt SSL certificate, a common configuration for short-lived malicious sites. The combination of recent registration, low detection prevalence, and use of ephemeral hosting suggests an attempt to evade automated detection and takedown mechanisms. Users who visited defa.digital or entered credentials on the site should immediately revoke any active sessions associated with the affected account and reset passwords using a secure, non-compromised device. Enable multi-factor authentication (MFA) on all accounts, prioritizing those linked to financial services or sensitive data. Monitor account activity for unauthorized transactions or configuration changes, such as email forwarding rules or unfamiliar device logins. If financial information was entered, contact the relevant institution to report potential fraud and request account monitoring. Clear browser cache and cookies to remove any residual session tokens, and scan the device for malware using updated security tools to detect potential secondary infections. ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/defa.digital/ JSON API: https://api.destroy.tools/v1/check?domain=defa.digital Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,334 domains (50,019 alive under monitoring, 128,315 confirmed takedowns/dead). Site: https://phishdestroy.io