# PhishDestroy threat dossier — gemini-login-start-byw.pages.dev ================================================================ Fetched: 2026-04-28 15:35:19 UTC Canonical: https://phishdestroy.io/domain/gemini-login-start-byw.pages.dev/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Credential Phishing Targeted brand: Google ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 4/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, Fortinet, LevelBlue ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.97.3 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: CloudFlare, Inc. Registrar: Cloudflare, Inc. Nameservers: beau.ns.cloudflare.com, gemma.ns.cloudflare.com Registered: 2026-04-27 Page title: Sign Up, Login, and Access Google HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-06-17 Status: INVALID chain Fingerprint: d5d1e0e0578bc226af62f90bf3df9cce85ae392af999473bbf58cc1c14c740d0 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-27 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-27 06:33:45 UTC (by PhishDestroy tracker) Last verified: 2026-04-28 13:06:10 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dccff-5bee-7583-bd42-54bc9314c230/ Wayback Machine: https://web.archive.org/web/*/gemini-login-start-byw.pages.dev crt.sh CT logs: https://crt.sh/?q=%25.gemini-login-start-byw.pages.dev Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=gemini-login-start-byw.pages.dev AlienVault OTX: https://otx.alienvault.com/indicator/domain/gemini-login-start-byw.pages.dev URLhaus: https://urlhaus.abuse.ch/host/gemini-login-start-byw.pages.dev/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-27 06:34:05 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies gemini-login-start-byw.pages.dev as an active credential phishing domain posing as a Google login portal. The site employs a deceptive subdomain structure ('gemini-login-start-byw') to mimic legitimate Google authentication pages, specifically targeting users of Google services. While no known drainer kit has been publicly documented for this exact domain, the phishing page is designed to harvest Google account credentials through a spoofed login interface. The campaign appears to be part of a broader trend where threat actors abuse Cloudflare Pages to host phishing content, leveraging legitimate cloud infrastructure to evade detection. Given the domain's thematic alignment with Google services and its recent activation, this is likely a targeted campaign against users unfamiliar with phishing red flags. This domain was flagged by PhishDestroy as a credential phishing site with the following technical indicators: a VirusTotal detection score of 0/95 as of the last analysis, indicating no antivirus or security vendor has yet flagged it; registered through Cloudflare, Inc., a common choice for phishing operators due to its abuse mitigation features; resolving to IP address 188.114.97.3, which is associated with Cloudflare's infrastructure; and secured with a Google Trust Services SSL certificate, a tactic to increase legitimacy. The domain was created recently (exact date not disclosed in available data), and its Google Safe Browsing (GSB) status remains unflagged at this time. It has not yet been added to any major blocklists, leaving users and organizations vulnerable to exposure. The combination of a clean VT score, Cloudflare hosting, and a Google-issued certificate suggests this phishing page is in the early stages of deployment and has not yet undergone widespread analysis or takedown efforts. The current status of gemini-login-start-byw.pages.dev is active and under investigation by PhishDestroy, with a remaining risk level categorized as 'under_investigation' due to insufficient longitudinal data. Immediate response actions include ongoing monitoring for domain takedown or IP deactivation, as well as signature development for network and endpoint detection. However, the risk remains elevated as the domain is still live and accessible, posing a credible threat to users who may encounter it through phishing emails, malicious ads, or compromised websites. To mitigate exposure, users are advised to scrutinize URLs for mismatches between displayed text and actual domains, enable multi-factor authentication (MFA) on Google accounts, and report suspicious login attempts. Organizations should deploy email filtering rules targeting domains hosted on Cloudflare Pages, particularly those mimicking Google services, and block the IP 188.114.97.3 at the network perimeter. While the domain's SSL certificate from Google Trust Services enhances its appearance of legitimacy, users should treat all unsolicited login prompts with skepticism, especially those delivered via non-standard channels such as third-party pages or shortened links. [Updates since narrative was generated:] - VirusTotal detections: now 4/91 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 0c23393a2962fa25800b09e18dd6b102 TLS cert SHA-256: d5d1e0e0578bc226af62f90bf3df9cce85ae392af999473bbf58cc1c14c740d0 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/gemini-login-start-byw.pages.dev/ JSON API: https://api.destroy.tools/v1/check?domain=gemini-login-start-byw.pages.dev Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io