# PhishDestroy threat dossier — hoebex.com ================================================================ Fetched: 2026-07-13 01:17:10 UTC Canonical: https://phishdestroy.io/domain/hoebex.com/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Credential Phishing ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 15/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, BitDefender, CRDF, CyRadar, Emsisoft, Forcepoint ThreatSeeker, Fortinet, G-Data, Kaspersky, Lionic, Netcraft, SOCRadar, Sophos, VIPRE, Webroot URLQuery: 2 detections Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 104.21.13.227 (US, San Francisco) ASN: AS13335 Cloudflare, Inc. Hosting org: AS13335 Cloudflare, Inc. Registrar: Fewmoretaps OU d/b/a Trustname.com !!! REGISTRAR INTEGRITY ALERT — Trustname / Fewmoretaps OU !!! Trustname (IANA #4318) is a shell company declaring EUR 120 annual revenue, 1 employee, negative equity, Belarusian ownership. Explicitly advertises itself as 'bulletproof' in its DNS TXT records. Primary source: https://phishdestroy.io/trustname-bulletproof-exposed Nameservers: anita.ns.cloudflare.com, camilo.ns.cloudflare.com Registered: 2026-07-06 Expires: 2027-07-06 Page title: Hoebex | Decentralized Web3 Gambling Site with Provable Trust HTTP response: 404 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-10-04 Status: INVALID chain Fingerprint: 005fad978dd6a779822fdbdbd666131717ac809e1e5f527309c91df847327285 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-07-06 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-11 16:20:43 UTC (by PhishDestroy tracker) First reported: 2026-07-12 19:12:41 UTC (abuse notice filed) Last verified: 2026-07-13 00:40:22 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f518c-8d48-70b8-911f-3d25fefa64c1/ URLQuery: https://urlquery.net/report/e0f9aa18-c923-479b-a80f-3a0898c45856 Wayback Machine: https://web.archive.org/web/*/hoebex.com crt.sh CT logs: https://crt.sh/?q=%25.hoebex.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=hoebex.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/hoebex.com URLhaus: https://urlhaus.abuse.ch/host/hoebex.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-11 16:51:42 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, hoebex.com, is flagged as an active credential theft operation. Analysis indicates the site mimics legitimate login portals to harvest user credentials, likely targeting financial or corporate accounts. No direct brand impersonation or crypto drainer kit signatures have been identified yet, but the infrastructure aligns with credential harvesting campaigns observed in recent months. The domain lacks overt branding, suggesting a generic or opportunistic approach rather than a targeted impersonation of a specific entity. Infrastructure analysis reveals the following technical indicators: the domain resolves to IP address 104.21.13.227, a Cloudflare-hosted endpoint commonly exploited for anonymity. It was registered on July 06, 2026, through Fewmoretaps OU d/b/a Trustname.com, a registrar frequently associated with newly created phishing domains. The domain currently holds a VirusTotal detection score of 0/95, indicating no antivirus engines have flagged it as malicious at this time. The SSL certificate is issued by Google Trust Services, providing a veneer of legitimacy while obscuring the true nature of the site. No Google Safe Browsing (GSB) alerts or blocklist entries have been recorded as of this analysis. The domain remains active and under investigation, with no takedown or sinkholing actions observed. The absence of detections on VirusTotal or blocklists does not preclude malicious intent, as the site may still be in the early stages of deployment or evading detection through obfuscation techniques. Users are advised to treat hoebex.com as high-risk for credential theft. Organizations should monitor for connections to the IP 104.21.13.227 and domain registration patterns matching Fewmoretaps OU. If encountered, credentials entered on this site should be considered compromised, and password resets should be initiated immediately for any associated accounts. Network-level blocking of the domain and IP is recommended as a precautionary measure. [Updates since narrative was generated:] - VirusTotal detections: now 15/91 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260712-B7CB4C TLS cert SHA-256: 005fad978dd6a779822fdbdbd666131717ac809e1e5f527309c91df847327285 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/hoebex.com/ JSON API: https://api.destroy.tools/v1/check?domain=hoebex.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,008 domains (49,746 alive under monitoring, 128,262 confirmed takedowns/dead). Site: https://phishdestroy.io