# PhishDestroy threat dossier — fideii-tyl.cyou ================================================================ Fetched: 2026-07-10 12:36:06 UTC Canonical: https://phishdestroy.io/domain/fideii-tyl.cyou/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Credential Phishing ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 12/95 security vendors flagged this domain Flagging vendors: alphaMountain.ai, BitDefender, Cluster25, CRDF, ESET, Fortinet, G-Data, Google Safebrowsing, PhishLabs, SOCRadar, Sophos, Webroot Public blocklists: listed on 2 independent blocklists Google Safe Browsing: FLAGGED ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 185.177.239.65 (US, Philadelphia) ASN: AS205775 NEON CORE NETWORK LLC Hosting org: Partner Hosting LTD Registrar: GLOBAL ASSET DOMAINS INC Nameservers: a.share-dns.com, b.share-dns.net, ns1.gadomains.com, ns2.gadomains.com Registered: 2026-07-08 Expires: 2027-07-08 Page title: Access Denied HTTP response: 302 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YE2 Expires: 2026-10-06 Status: INVALID chain Fingerprint: db33067bce5ffe805eebbed1c96a4ec3ec2a72b47e208896c9b783ebe7c66440 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-07-08 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-10 10:59:30 UTC (by PhishDestroy tracker) Last verified: 2026-07-10 12:50:14 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f4b3f-477b-72ee-9f4d-fbd4a2bd4a1a/ Wayback Machine: https://web.archive.org/web/*/fideii-tyl.cyou crt.sh CT logs: https://crt.sh/?q=%25.fideii-tyl.cyou Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=fideii-tyl.cyou AlienVault OTX: https://otx.alienvault.com/indicator/domain/fideii-tyl.cyou URLhaus: https://urlhaus.abuse.ch/host/fideii-tyl.cyou/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-10 11:06:05 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, fideii-tyl.cyou, is identified as a high-risk phishing infrastructure designed to impersonate Fidelity Investments, a major financial services provider. Analysis indicates the domain is likely part of a credential harvesting campaign, targeting users through social engineering tactics to capture sensitive login information. While no specific drainer kit has been confirmed, the domain's structure and naming convention suggest a focus on financial fraud, consistent with known phishing operations targeting investment platforms. Infrastructure analysis reveals the following technical indicators: the domain was registered on July 8, 2026, through GLOBAL ASSET DOMAINS INC, and currently resolves to the IP address 185.177.239.65. Security vendor detection on VirusTotal stands at 12/95, with Google Safe Browsing flagging the domain under the category SOCIAL_ENGINEERING. The domain appears on one security blocklist and is actively blocked by InversionDNS. Additionally, it employs a Let's Encrypt SSL certificate, which, while providing encryption, is frequently exploited by threat actors to lend an appearance of legitimacy to malicious sites. As of the latest assessment, fideii-tyl.cyou remains active, posing an ongoing risk to users who may be deceived into entering credentials. Response actions by security providers have included blocklisting and DNS-level blocking, but the domain's continued operation indicates persistent threat activity. Organizations and individuals are advised to implement network-level blocking for the domain and its associated IP address, while users should be educated on recognizing phishing attempts, particularly those impersonating financial institutions. Given the domain's high-risk classification and active status, continuous monitoring and proactive mitigation measures are recommended to prevent potential credential compromise. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 714ba6449c1909012bf22e37f9e0befa TLS cert SHA-256: db33067bce5ffe805eebbed1c96a4ec3ec2a72b47e208896c9b783ebe7c66440 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/fideii-tyl.cyou/ JSON API: https://api.destroy.tools/v1/check?domain=fideii-tyl.cyou Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 176,984 domains (24,624 alive under monitoring, 152,336 confirmed takedowns/dead). Site: https://phishdestroy.io