# PhishDestroy threat dossier — gift2gift.cfd
================================================================

Fetched:   2026-06-07 08:12:53 UTC
Canonical: https://phishdestroy.io/domain/gift2gift.cfd/

## VERDICT
----------------------------------------------------------------
ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 2/6)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      1/92 security vendors flagged this domain
Public blocklists: listed on 3 independent blocklists

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      188.114.97.3 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     CloudFlare, Inc.
Registrar:       Global Domain Group LLC
Nameservers:     garrett.ns.cloudflare.com, grannbo.ns.cloudflare.com
Registered:      2026-05-17
Page title:      BONK COIN
HTTP response:   530

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E8
Expires:    2026-08-14
Status:     INVALID chain
Fingerprint: 80cc55cef05258d864dc227b6afc2052116f11f5236abfcc98ad45219e4f9b44

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-05-17 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-05-18 14:56:55 UTC (by PhishDestroy tracker)
First reported:    2026-05-18 11:58:42 UTC (abuse notice filed)
Last verified:     2026-06-07 06:33:55 UTC
Neutralised:       2026-05-26 18:25:44 UTC
Current status:    ACTIVE — cloaked behind HTTP 666 to evade scanners

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019e3af1-41d4-772f-8d7a-2f17ff6610c3/
URLQuery:         https://urlquery.net/report/be1cc735-20d9-42d7-90b0-208de4e048bb
Wayback Machine:  https://web.archive.org/web/*/gift2gift.cfd
crt.sh CT logs:   https://crt.sh/?q=%25.gift2gift.cfd
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=gift2gift.cfd
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/gift2gift.cfd
URLhaus:          https://urlhaus.abuse.ch/host/gift2gift.cfd/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-05-18 14:57:54 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies an active credential theft campaign tied to the domain gift2gift.cfd, currently under investigation with a dynamic risk classification. This malicious resource masquerades as a reputable gift exchange platform to harvest sensitive login credentials, email addresses, and potentially cryptocurrency wallet access.  This domain was flagged during routine threat analysis with the following technical indicators: VirusTotal currently reports zero detections out of 95 scanners, suggesting low antivirus coverage; registration occurred on May 17, 2026 via Global Domain Group LLC; the domain resolves to the IP address 188.114.97.3, which is associated with Let's Encrypt-issued SSL certificates. The infrastructure has not yet been identified on major threat intelligence blocklists such as AlienVault OTX or Abuse.ch URLHaus. Domain reputation scores remain neutral due to its recent creation and limited historical telemetry, increasing the risk of detection evasion.  To mitigate exposure to this credential theft campaign, organizations and individuals should block the domain gift2gift.cfd and monitor for any connections to the IP 188.114.97.3 at the network perimeter. Users are advised to enable multi-factor authentication (MFA) on all accounts, avoid entering credentials on unfamiliar domains, and validate any links claiming to offer gift exchange services through official channels. Security teams should deploy DNS filtering rules and inspect historical DNS logs for lateral movement. Given the zero-detection status on VirusTotal, manual verification and user awareness training are critical to prevent successful credential harvesting.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260518-843DB7
Favicon MD5:       d17a9ccaed776e296fc7e23955a5dfc4
TLS cert SHA-256:      80cc55cef05258d864dc227b6afc2052116f11f5236abfcc98ad45219e4f9b44

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/gift2gift.cfd/
JSON API:          https://api.destroy.tools/v1/check?domain=gift2gift.cfd
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 158,710 domains (42,721 alive under monitoring, 114,967 confirmed takedowns/dead). Site: https://phishdestroy.io