# PhishDestroy threat dossier — jay-kinda-funny.shop ================================================================ Fetched: 2026-07-12 20:15:28 UTC Canonical: https://phishdestroy.io/domain/jay-kinda-funny.shop/ ## VERDICT ---------------------------------------------------------------- HIGH THREAT — malicious activity confirmed Composite threat score: 75/100 (PhishDestroy scoring — see methodology below) Scam classification: Credential Phishing ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/91 security vendors flagged this domain Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 185.66.143.73 (NL, Amsterdam) ASN: AS200514 KnownSRV Ltd. Hosting org: KnownSRV Ltd Registrar: REGISTRAR_NOT_FOUND Nameservers: dexter.ns.cloudflare.com, zelda.ns.cloudflare.com Page title: Jaykindafunny Shop - Official Jaykindafunny Merchandise Store HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YE2 Expires: 2026-09-14 Status: INVALID chain Fingerprint: 875bc485fd97044cf6bb956bab58b323cc6ea39627d7ce445dc6527b05d3fa30 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-07-12 17:38:58 UTC (by PhishDestroy tracker) Last verified: 2026-07-12 20:30:13 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f56fa-d6e4-702e-bc91-d22d69fe2c83/ Wayback Machine: https://web.archive.org/web/*/jay-kinda-funny.shop crt.sh CT logs: https://crt.sh/?q=%25.jay-kinda-funny.shop Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=jay-kinda-funny.shop AlienVault OTX: https://otx.alienvault.com/indicator/domain/jay-kinda-funny.shop URLhaus: https://urlhaus.abuse.ch/host/jay-kinda-funny.shop/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-12 17:47:07 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] Analysis of jay-kinda-funny.shop shows that the domain resolves to the IPv4 address 185.66.143.73 and is served through Cloudflare’s DNS infrastructure, using the authoritative nameservers dexter.ns.cloudflare.com and zelda.ns.cloudflare.com. The use of Cloudflare indicates an attempt to obscure the true origin of the web server and to benefit from the provider’s DDoS mitigation and caching services. No additional IP aliases or CNAME records are publicly observable beyond the single A record. The site has been classified as a generic phishing portal. Although the landing page content has not been publicly archived, the domain follows a pattern commonly observed in credential‑harvesting campaigns: a short, memorable .shop TLD, a playful brand‑like phrase, and a reliance on third‑party hosting to hide the operator’s identity. Such sites typically present counterfeit login forms for popular services and forward submitted credentials to an undisclosed backend. VirusTotal currently reports zero detections out of 95 scanners, which reflects the early stage of the campaign rather than an indication of benign intent. The lack of historical abuse records suggests the domain was likely registered and activated shortly before the present investigation, a timing consistent with fast‑flux phishing operations that rotate domains to evade blacklist accumulation. No ASN, country, or associated malware kit information is available, leaving the attribution of the actors uncertain. Defenders should treat jay-kinda-funny.shop as a high‑confidence malicious indicator. Immediate actions include adding the domain and its resolved IP address to outbound filtering rules, monitoring DNS queries for the Cloudflare nameservers, and deploying sinkhole or sandbox analysis on any HTTP requests to capture the exact phishing payload. Continuous re‑scanning on VirusTotal and other sandbox services is advised to detect any later malicious code uploads. Organizations should also educate users about the deceptive nature of .shop domains that mimic legitimate brand language. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 263c9f6fc2309245287f12b8e22bd2ce TLS cert SHA-256: 875bc485fd97044cf6bb956bab58b323cc6ea39627d7ce445dc6527b05d3fa30 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/jay-kinda-funny.shop/ JSON API: https://api.destroy.tools/v1/check?domain=jay-kinda-funny.shop Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 177,876 domains (49,620 alive under monitoring, 128,256 confirmed takedowns/dead). Site: https://phishdestroy.io