# PhishDestroy threat dossier — forthstack.com ================================================================ Fetched: 2026-07-03 17:07:25 UTC Canonical: https://phishdestroy.io/domain/forthstack.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 69/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 4/91 security vendors flagged this domain Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 163.61.188.7 (US, Staten Island) ASN: AS153568 NEW DHAKA HARDWARE Hosting org: MIT Registrar: OwnRegistrar, Inc. Nameservers: dns1.lytehosting.com, dns2.lytehosting.com, dns3.lytehosting.com, dns4.lytehosting.com Registered: 2026-03-02 Expires: 2027-03-02 Page title: Home - Forthstack ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR1 Expires: 2026-09-28 Status: INVALID chain Fingerprint: d584a4e2267914f2929c22d70876065d5d91885e1b5b92e9f2ca99c8d23d063f Subject Alternative Names (related infrastructure — often same operator): - mail.forthstack.com - www.forthstack.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-03-02 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-01 03:59:52 UTC (by PhishDestroy tracker) First reported: 2026-07-01 02:18:21 UTC (abuse notice filed) Last verified: 2026-07-03 16:20:36 UTC Neutralised: 2026-07-01 12:02:52 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f1b66-0c89-74fd-b0f2-1a7345923799/ URLQuery: https://urlquery.net/report/dacda5fa-57c0-4adc-914b-3796c9d85ad9 Wayback Machine: https://web.archive.org/web/*/forthstack.com crt.sh CT logs: https://crt.sh/?q=%25.forthstack.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=forthstack.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/forthstack.com URLhaus: https://urlhaus.abuse.ch/host/forthstack.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-01 04:46:11 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, forthstack.com, is currently assessed as under investigation for generic phishing activity. The threat posed is characterized by attempts to deceive users and potentially harvest sensitive information through impersonation or misleading web content. The risk level is under investigation, indicating that active monitoring and further scrutiny are warranted to determine the full extent of malicious behavior. Several technical indicators support this assessment. The domain's title is 'Home - Forthstack.' It was registered through OwnRegistrar, Inc. and resolves to IP address 163.61.188.7. The SSL certificate is issued by Let's Encrypt, suggesting encryption is in use, which may be leveraged to foster user trust. Notably, as of the latest scan, VirusTotal reports 0 out of 95 detection engines flagging this domain, meaning it is not yet listed on major blocklists and has not been widely recognized as malicious. The domain was created on March 02, 2026, which is an unusual future date and may signal inaccuracies in WHOIS records or attempts at obfuscation. Despite this, the domain is confirmed to be active and under investigation. Given the domain's active status and lack of detection by security platforms, users and organizations should exercise heightened vigilance. It is recommended to block or closely monitor network activity to and from 163.61.188.7. Security teams should update threat intelligence feeds with this domain and IP, and educate users on the risks of interacting with unfamiliar domains, especially those not yet flagged by automated security tools. Continued monitoring for changes in detection scores and domain reputation is advised to mitigate potential phishing threats. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260701-C8A24A Favicon MD5: 7c6c55937750ca5fbd501abac93fc567 TLS cert SHA-256: d584a4e2267914f2929c22d70876065d5d91885e1b5b92e9f2ca99c8d23d063f ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/forthstack.com/ JSON API: https://api.destroy.tools/v1/check?domain=forthstack.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,404 domains (13,154 alive under monitoring, 160,432 confirmed takedowns/dead). Site: https://phishdestroy.io