# PhishDestroy threat dossier — live-dango.icu
================================================================

Fetched:   2026-05-01 09:34:03 UTC
Canonical: https://phishdestroy.io/domain/live-dango.icu/

## VERDICT
----------------------------------------------------------------
ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: redirect_split) (score: 4/6)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      4/94 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, Forcepoint ThreatSeeker, Gridinsoft, Kaspersky

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      104.21.95.84 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     Cloudflare, Inc.
Registrar:       PDR Ltd. d/b/a PublicDomainRegistry.com
Nameservers:     ["daisy.ns.cloudflare.com", "rustam.ns.cloudflare.com"]
Registered:      2026-04-24
Page title:      Dango | Overview
HTTP response:   530

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E7
Expires:    2026-07-21
Status:     INVALID chain
Fingerprint: e26cad1c0016a7e4b2b0376663b0dea82ef118513ebf1bc095380cb7d98d8d00

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-24 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-24 18:21:38 UTC (by PhishDestroy tracker)
Last verified:     2026-05-01 11:58:41 UTC
Current status:    ACTIVE — cloaked behind HTTP 666 to evade scanners

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019dc011-e394-743c-ae34-dce58ca78bb4/
Wayback Machine:  https://web.archive.org/web/*/live-dango.icu
crt.sh CT logs:   https://crt.sh/?q=%25.live-dango.icu
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=live-dango.icu
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/live-dango.icu
URLhaus:          https://urlhaus.abuse.ch/host/live-dango.icu/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-24 18:22:36 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies live-dango.icu as an active credential-harvesting scam designed to trick visitors into entering login details that are immediately sent to attackers. The site masquerades as a legitimate service, luring users to input usernames, passwords, or payment information which is then harvested for fraudulent use. This type of attack is particularly dangerous because compromised credentials can be reused across multiple platforms, increasing the risk of account takeovers and financial loss. Based on behavioral analysis, this domain is part of a broader campaign targeting unsuspecting users through deceptive login portals or fake service pages.  This domain was flagged by PhishDestroy with an elevated risk rating due to multiple red flags. The SSL certificate is issued by Let's Encrypt, a common choice among both legitimate and malicious sites, while the domain was registered on April 22, 2026, through PDR Ltd. d/b/a PublicDomainRegistry.com. VirusTotal shows only 1 out of 95 security vendors detected this threat as of the latest scan, highlighting how newly created malicious domains often evade early detection. The domain resolves to IP address 104.21.95.84, which has been linked to hosting infrastructure previously associated with phishing and malware campaigns. The domain’s youth and low detection rate make it a higher-risk threat that requires immediate attention and caution.  If you visited live-dango.icu and entered any personal information, assume your credentials or payment details have been compromised. Immediately change passwords for the affected account and enable two-factor authentication where possible. Scan your device for malware using reputable antivirus software, as some phishing pages may install tracking cookies or keyloggers. Report the incident to the legitimate service provider that the scam was impersonating and consider notifying your bank if financial details were exposed. Avoid clicking on any links from this domain in the future and warn others who may have encountered it. For further technical analysis and IOCs, consult the full PhishDestroy threat report associated with seed 2dcd1c.

## EVIDENCE HASHES
----------------------------------------------------------------
Favicon MD5:       a6dc722d0de78df956dc98b313b3baf6
TLS cert SHA-256:      e26cad1c0016a7e4b2b0376663b0dea82ef118513ebf1bc095380cb7d98d8d00

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/live-dango.icu/
JSON API:          https://api.destroy.tools/v1/check?domain=live-dango.icu
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io