# PhishDestroy threat dossier — j55c.vip ================================================================ Fetched: 2026-07-13 07:27:38 UTC Canonical: https://phishdestroy.io/domain/j55c.vip/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 97/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 8/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, CRDF, Forcepoint ThreatSeeker, Fortinet, Gridinsoft, LevelBlue, SOCRadar, Webroot Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 103.27.177.163 (HK, Mong Kok) ASN: AS135357 HONG KONG KOWLOON TELECOMMUNICATIONS CO.,LIMITED Hosting org: HONG KONG KOWLOON TELECOMMUNICATIONS CO., LIMITED Registrar: NameMart Pte. Ltd. Nameservers: ns1.1111343.com, ns2.1111343.com, ns3.1111343.com, ns4.1111343.com Registered: 2026-05-10 Expires: 2027-05-10 HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR1 Expires: 2026-09-13 Status: INVALID chain Fingerprint: 8d1425d30ea0523238d1cd1f5d6a13eb1e5659d4bc797b8d46d7c9585340f3f5 Subject Alternative Names (related infrastructure — often same operator): - 13990.xyz - 14067.xyz - 14073.xyz - 14078.xyz - 14218.xyz - 14219.xyz - 14220.xyz - 14223.xyz - 67745.xyz - b26b.top - b26f.top - b26g.top - b26h.top - b26i.top - b26j.top ... +79 more ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-10 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-09 14:27:04 UTC (by PhishDestroy tracker) Last verified: 2026-07-13 08:20:41 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f46d7-4295-745a-9113-1a7a5ce205c9/ Wayback Machine: https://web.archive.org/web/*/j55c.vip crt.sh CT logs: https://crt.sh/?q=%25.j55c.vip Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=j55c.vip AlienVault OTX: https://otx.alienvault.com/indicator/domain/j55c.vip URLhaus: https://urlhaus.abuse.ch/host/j55c.vip/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-09 14:46:18 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain is flagged as a high-risk entity due to its association with generic phishing activities. The domain j55c.vip is currently active and poses a significant threat to internet users by attempting to engage in unauthorized access attempts. The high-risk level is compounded by its use of modern web technologies which can effectively obfuscate phishing content. The domain j55c.vip was created on May 10, 2026, and is registered through NameMart Pte. Ltd. It resolves to the IP address 103.27.177.163. The presence of Vue.js, Nginx, HSTS, Cloudflare, and HTTP/3 technologies suggests a sophisticated setup intended to mimic legitimate platforms. The domain's SSL certificate is issued by Let's Encrypt, which might give users a false sense of security. VirusTotal has flagged this domain with a detection count of 5 out of 95 security vendors, underscoring the potential threat it poses. Despite its detection, this domain is still active and not widely blocked across multiple platforms, which increases the possibility of successful phishing attempts. To mitigate the threat posed by j55c.vip, organizations and individual users should implement network-level blocks for the IP 103.27.177.163, ensuring that this domain and its associated IP do not reach end-user systems. Security teams should update phishing domain filters to include this domain and monitor for any network traffic attempting to communicate with it. Encouraging end-users to report suspicious emails or web interactions that appear to originate from this domain could help in early detection and mitigation of potential phishing attempts. Additionally, continuously updating security tools to recognize and block domains flagged by threat databases like VirusTotal can enhance overall security posture. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 82b6e464cf8021c5015867bab121bf84 TLS cert SHA-256: 8d1425d30ea0523238d1cd1f5d6a13eb1e5659d4bc797b8d46d7c9585340f3f5 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/j55c.vip/ JSON API: https://api.destroy.tools/v1/check?domain=j55c.vip Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,026 domains (49,756 alive under monitoring, 128,270 confirmed takedowns/dead). Site: https://phishdestroy.io