# PhishDestroy threat dossier — global-kucquin.pages.dev ================================================================ Fetched: 2026-04-25 11:47:07 UTC Canonical: https://phishdestroy.io/domain/global-kucquin.pages.dev/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 90/100 (PhishDestroy scoring — see methodology below) Scam classification: Credential Phishing ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 5/94 security vendors flagged this domain ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.96.3 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: CloudFlare, Inc. Registrar: Cloudflare, Inc. Nameservers: apollo.ns.cloudflare.com, walk.ns.cloudflare.com Registered: 2026-04-10 Page title: Suspected phishing site | Cloudflare HTTP response: 403 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-07-09 Status: INVALID chain Fingerprint: e2eb41f4b149fd5e4a41e21a189b74271067687fa5b7cf2529c24a8e16b18d50 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-10 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-10 18:45:46 UTC (by PhishDestroy tracker) Last verified: 2026-04-21 16:07:22 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019d7810-ca7b-7511-a9f1-f8678be01c45/ Wayback Machine: https://web.archive.org/web/*/global-kucquin.pages.dev crt.sh CT logs: https://crt.sh/?q=%25.global-kucquin.pages.dev Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=global-kucquin.pages.dev AlienVault OTX: https://otx.alienvault.com/indicator/domain/global-kucquin.pages.dev URLhaus: https://urlhaus.abuse.ch/host/global-kucquin.pages.dev/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-10 18:46:12 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] global-kucquin.pages.dev has been flagged for a fake login phishing scheme under active investigation, with a current risk level labeled as under_investigation. This domain, registered through Cloudflare, Inc., is designed to impersonate a legitimate login interface, likely aiming to harvest user credentials or sensitive data. PhishDestroy identifies this as a high-priority threat due to its active status and the potential for significant user impact if left unaddressed. The domain resolves to IP address 188.114.96.3 and is served via Cloudflare’s infrastructure, which may provide additional anonymity to its operators. VirusTotal currently reports 0 out of 95 detections, indicating that it has not yet been widely flagged by security vendors, though this does not diminish its threat potential. The domain utilizes a Google Trust Services SSL certificate, which may further lend it an air of legitimacy to unsuspecting users. These indicators suggest a well-constructed phishing attempt likely targeting login credentials, possibly for financial services, email platforms, or corporate portals. This assessment is based on verified data points: VirusTotal shows 0 out of 95 detections as of the latest scan, indicating no current blocklisting by major security engines. The domain is registered through Cloudflare, Inc., a common choice for threat actors seeking to obscure their true hosting details or exploit free tiers for malicious activities. It resolves to IP 188.114.96.3, which is associated with Cloudflare’s infrastructure, a tactic often used to evade IP-based blocking. The presence of a Google Trust Services SSL certificate adds a layer of perceived trustworthiness, as these certificates are widely trusted by browsers. While the exact creation date of the domain is not provided, its active status and Cloudflare registration suggest recent deployment, likely within the past few months. The combination of these factors—low detection rates, Cloudflare’s anonymizing services, and a trusted SSL certificate—creates a deceptive environment ripe for credential harvesting attacks. Users interacting with this domain risk exposing login credentials, payment details, or other sensitive information to malicious actors. To mitigate the risks posed by global-kucquin.pages.dev, users should avoid interacting with this domain entirely, as it is actively involved in a fake login phishing campaign. If credentials or sensitive data have already been entered, immediately change passwords for the affected accounts and enable multi-factor authentication (MFA) where possible. Organizations should consider blocking the domain at the network level and monitoring for any unusual login activity tied to credentials accessed via this portal. Security teams should also report the domain to relevant authorities, such as Google Safe Browsing, PhishTank, or their local CERT, to aid in broader detection and takedown efforts. For personal protection, users can leverage browser extensions or security tools that block known phishing domains and warn against suspicious login pages. Proactive awareness and education about phishing tactics—such as verifying URLs, checking for secure connections, and recognizing impersonation attempts—are critical in preventing credential theft. Given the domain’s use of Cloudflare and a trusted SSL certificate, traditional security measures may not suffice; thus, layered defenses and user vigilance are essential to counter this threat. [Updates since narrative was generated:] - WHOIS creation date: 2026-04-10 ## EVIDENCE HASHES ---------------------------------------------------------------- TLS cert SHA-256: e2eb41f4b149fd5e4a41e21a189b74271067687fa5b7cf2529c24a8e16b18d50 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/global-kucquin.pages.dev/ JSON API: https://api.destroy.tools/v1/check?domain=global-kucquin.pages.dev Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io