# PhishDestroy threat dossier — dfl.bet ================================================================ Fetched: 2026-07-12 20:23:29 UTC Canonical: https://phishdestroy.io/domain/dfl.bet/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 92/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/91 security vendors flagged this domain Flagging vendors: SOCRadar Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.96.3 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: CloudFlare, Inc. Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Nameservers: nena.ns.cloudflare.com, yichun.ns.cloudflare.com Registered: 2026-04-30 Expires: 2027-04-30 Page title: Most Popular Online Crypto Casino & Prediction Markets HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR2 Expires: 2026-10-09 Status: INVALID chain Fingerprint: 905a1dcbd83182baff36d27a10e13120a8768c8c2ac0b1ecbbcd18865e589599 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-30 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-11 00:58:52 UTC (by PhishDestroy tracker) First reported: 2026-07-12 18:12:08 UTC (abuse notice filed) Last verified: 2026-07-12 22:17:15 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f4e40-84e7-70db-968c-98c02f5c0904/ URLQuery: https://urlquery.net/report/2ec2ec14-e70c-44b8-af53-24df97a49014 Wayback Machine: https://web.archive.org/web/*/dfl.bet crt.sh CT logs: https://crt.sh/?q=%25.dfl.bet Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=dfl.bet AlienVault OTX: https://otx.alienvault.com/indicator/domain/dfl.bet URLhaus: https://urlhaus.abuse.ch/host/dfl.bet/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-12 17:19:42 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The domain dfl.bet was registered on 30 April 2026 through PDR Ltd. d/b/a PublicDomainRegistry.com. It resolves to the Cloudflare‑owned address 188.114.96.3, which is geolocated to Canada. The site serves an HTTPS certificate issued by Let’s Encrypt (valid for the current year) and returns HTTP 200 for the landing page. Cloudflare services are visible, including Browser Insights and HTTP/3 support, indicating the infrastructure is fully CDN‑enabled. The domain is already listed on a phishing blocklist and has been flagged by PhishDestroy, confirming its active malicious status. The landing page title “Most Popular Online Crypto Casino & Prediction Markets” suggests the site is masquerading as a crypto‑focused betting platform, likely to lure users seeking gambling or prediction‑market services. No explicit brand name is displayed, but the phrasing aligns with well‑known online casino and betting terminology, indicating a generic phishing campaign aimed at credential harvesting or financial fraud. Evidence of malicious intent includes the presence on a security blocklist, detection by PhishDestroy, and the recent creation date that aligns with typical fast‑flux phishing infrastructure. The use of a free Let’s Encrypt certificate and Cloudflare’s CDN helps the operator hide the true origin and increase availability. However, the exact payload, data collection method, or any malicious scripts have not been publicly disclosed, leaving the precise attack vector uncertain. Defenders should proactively block dfl.bet at the DNS and proxy level, and include it in URL filtering policies for web gateways. Monitoring outbound connections to the IP 188.114.96.3 can help identify compromised clients attempting to contact the site. Since the site is reachable over standard HTTPS, deep packet inspection may be required to detect any embedded credential‑stealing forms. Continuous threat‑intel feeds should be consulted for updates, and any observed user reports of credential submission should be investigated promptly. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260712-5BC5ED Favicon MD5: 57dd6243f25a6a327faee0f5d9e3a00c TLS cert SHA-256: 905a1dcbd83182baff36d27a10e13120a8768c8c2ac0b1ecbbcd18865e589599 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/dfl.bet/ JSON API: https://api.destroy.tools/v1/check?domain=dfl.bet Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 177,877 domains (49,621 alive under monitoring, 128,256 confirmed takedowns/dead). Site: https://phishdestroy.io