# PhishDestroy threat dossier — izin-lewat-pak.pages.dev ================================================================ Fetched: 2026-07-03 05:17:53 UTC Canonical: https://phishdestroy.io/domain/izin-lewat-pak.pages.dev/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 88/100 (PhishDestroy scoring — see methodology below) Scam classification: Generic Phishing ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/91 security vendors flagged this domain Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.66.47.97 (US, San Francisco) ASN: ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US Hosting org: AS13335 Cloudflare, Inc. Registrar: Cloudflare, Inc. Nameservers: lucy.ns.cloudflare.com, matteo.ns.cloudflare.com Registered: 2026-05-27 Page title: SLOT GACOR | Platform Resmi Terpercaya Menawarkan Sistem Deposit Kilat dan Withdraw Instan untuk Pengalaman Modern HTTP response: 404 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E8 Expires: 2026-08-25 Status: INVALID chain Fingerprint: f97b27a3553c5ebe9b99de07d74ccf35d2fc57d5a0fb61f62fca0bfef95da864 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-27 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-29 17:13:26 UTC (by PhishDestroy tracker) First reported: 2026-05-29 17:12:41 UTC (abuse notice filed) Last verified: 2026-07-03 04:20:37 UTC Neutralised: 2026-06-06 17:29:32 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e7413-1d61-7379-b81b-fef82f24a73d/ Wayback Machine: https://web.archive.org/web/*/izin-lewat-pak.pages.dev crt.sh CT logs: https://crt.sh/?q=%25.izin-lewat-pak.pages.dev Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=izin-lewat-pak.pages.dev AlienVault OTX: https://otx.alienvault.com/indicator/domain/izin-lewat-pak.pages.dev URLhaus: https://urlhaus.abuse.ch/host/izin-lewat-pak.pages.dev/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-25 18:58:51 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain is flagged under investigation for hosting a targeted phishing operation masquerading as a legitimate online gambling platform. Analysis indicates the site specifically impersonates 'SLOT GACOR,' a fraudulent service promising rapid financial transactions to deceive users into disclosing credentials or transferring funds. The threat type falls under credential harvesting and financial fraud, with potential secondary risks including malware distribution through fake download prompts or malicious redirects embedded in the site infrastructure. Infrastructure analysis reveals the following technical indicators: the domain resolves to IP address 172.66.47.97, hosted on Cloudflare's network (AS13335) in the United States. The domain was registered through Cloudflare, Inc. with an anomalous creation date of May 27, 2026, suggesting potential domain spoofing or registry manipulation. VirusTotal returns 0 detections out of 95 engines, indicating low immediate detection rates despite its presence on one security blocklist. The SSL certificate is issued by Let's Encrypt (serial number E8), providing HTTPS encryption that may lend false legitimacy to the phishing page. The page title explicitly advertises 'SLOT GACOR | Platform Resmi Terpercaya Menawarkan Sistem Deposit Kilat dan Withdraw Instan,' a clear social engineering lure targeting Indonesian-speaking users. Mitigation requires immediate action from network defenders and end users. Organizations should implement DNS-level blocking for izin-lewat-pak.pages.dev and its resolving IP 172.66.47.97, with particular attention to Cloudflare-hosted domains exhibiting gambling-related content. Endpoint protection systems should be updated to flag the domain's SSL certificate fingerprint (Let's Encrypt E8) and monitor for connections to AS13335. Users should be educated to recognize the specific lures used in this campaign, including promises of 'instant withdrawals' and 'trusted platforms,' which are common indicators of financial phishing. Financial institutions should monitor for transactions originating from this domain's infrastructure and implement additional verification steps for users reporting interactions with the site. Given the domain's active status and low detection rates, continuous monitoring of related infrastructure is recommended to identify potential pivot domains or IP shifts. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: b8a0bf372c762e966cc99ede8682bc71 TLS cert SHA-256: f97b27a3553c5ebe9b99de07d74ccf35d2fc57d5a0fb61f62fca0bfef95da864 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/izin-lewat-pak.pages.dev/ JSON API: https://api.destroy.tools/v1/check?domain=izin-lewat-pak.pages.dev Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,125 domains (13,587 alive under monitoring, 159,748 confirmed takedowns/dead). Site: https://phishdestroy.io