# PhishDestroy threat dossier — giris.mert-king-hizli43.icu ================================================================ Fetched: 2026-07-11 10:58:10 UTC Canonical: https://phishdestroy.io/domain/giris.mert-king-hizli43.icu/ ## VERDICT ---------------------------------------------------------------- ACTIVE THREAT — multiple warning signs Composite threat score: 46/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/95 security vendors flagged this domain Flagging vendors: PhishFort Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.67.223.157 ASN: ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED !!! REGISTRAR INTEGRITY ALERT — NiceNIC !!! NiceNIC International: over 90% of its registered domains are associated with illegal content; documented systematic abuse-report non-response. Primary sources: https://phishdestroy.io/nicenic-real https://phishdestroy.io/nicenic-verdict Nameservers: aaden.ns.cloudflare.com, lola.ns.cloudflare.com Registered: 2026-07-11 Expires: 2027-07-11 Page title: Meritking | Meritking Mobil Giriş Merkezi | Hızlı Kayıt Sistemi HTTP response: 520 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-07-11 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-11 06:21:09 UTC (by PhishDestroy tracker) Last verified: 2026-07-11 12:25:18 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f4f67-8b06-77b6-9a97-55ec5810904b/ Wayback Machine: https://web.archive.org/web/*/giris.mert-king-hizli43.icu crt.sh CT logs: https://crt.sh/?q=%25.giris.mert-king-hizli43.icu Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=giris.mert-king-hizli43.icu AlienVault OTX: https://otx.alienvault.com/indicator/domain/giris.mert-king-hizli43.icu URLhaus: https://urlhaus.abuse.ch/host/giris.mert-king-hizli43.icu/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-11 06:51:43 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain is flagged as a high-risk credential theft phishing operation designed to harvest user login credentials through deceptive login portals. Analysis indicates the infrastructure is actively targeting individuals by impersonating legitimate authentication pages, a common tactic in account takeover schemes. The domain’s recent creation and minimal detection on security platforms suggest an attempt to evade automated defenses while maintaining operational persistence. Infrastructure analysis reveals the domain was registered on July 11, 2026, through NICENIC INTERNATIONAL GROUP CO., LIMITED, a registrar frequently associated with malicious registrations. It resolves to the IP address 172.67.223.157, which is proxied through Cloudflare, obscuring the true origin of the hosting infrastructure. Only 1 out of 95 security vendors on VirusTotal currently flag this domain, indicating low initial detection rates. The SSL certificate is issued by Google Trust Services, providing a veneer of legitimacy while the domain remains active and unblocked on most public blocklists. Technologies detected include Cloudflare Browser Insights and HTTP/3, which are often leveraged to enhance performance and evade traditional security controls. Mitigation against credential theft phishing requires a multi-layered approach. Organizations should implement strict domain monitoring to detect newly registered lookalike domains and enforce DNS-based blocking for known malicious IPs, such as 172.67.223.157. Endpoint protection should be configured to flag and quarantine any attempts to access this domain or its associated infrastructure. User training must emphasize the risks of entering credentials on unfamiliar login portals, particularly those mimicking trusted brands. Additionally, multi-factor authentication (MFA) should be enforced to mitigate the impact of stolen credentials, as phishing-resistant MFA methods significantly reduce the success rate of such attacks. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 8f82d071d5315df73670bb345499a802 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/giris.mert-king-hizli43.icu/ JSON API: https://api.destroy.tools/v1/check?domain=giris.mert-king-hizli43.icu Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 177,282 domains (50,017 alive under monitoring, 127,065 confirmed takedowns/dead). Site: https://phishdestroy.io