# PhishDestroy threat dossier — m.1188xinpujing.com ================================================================ Fetched: 2026-06-28 07:18:00 UTC Canonical: https://phishdestroy.io/domain/m.1188xinpujing.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 68/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 12/91 security vendors flagged this domain Flagging vendors: BitDefender, CyRadar, ESET, Emsisoft, Fortinet, G-Data, Kaspersky, Lionic, Netcraft, Seclookup, Sophos, Webroot Public blocklists: listed on 2 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 19.200.8.105 (US, Dearborn) ASN: AS62468 VpsQuan L.L.C. Hosting org: Ford Motor Company Registrar: NameSilo, LLC !!! REGISTRAR INTEGRITY ALERT — NameSilo !!! NameSilo is a registrar documented by PhishDestroy as (1) publicly lying about received abuse reports, (2) shielding a $20M+ Monero-theft operation (xmrwallet.com) for 10 continuous years, and (3) retaliating against PhishDestroy by getting our X/Twitter account @Phish_Destroy banned after we published the evidence. Researchers/victims must ALWAYS CC compliance@icann.org on every abuse ticket — NameSilo has a track record of later claiming reports were never received. Primary sources: https://phishdestroy.io/namesilo-killed-our-twitter https://phishdestroy.io/xmrwallet-namesilo-exposed Nameservers: ns1.domainnamedns.com, ns2.domainnamedns.com Registered: 2026-06-19 Expires: 2027-06-19 Page title: 澳门新葡京娱乐城-中国官方网站-Grand Lisboa ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR2 Expires: 2026-09-21 Status: INVALID chain Fingerprint: d52a826672e01bd432fb2a74e7471439262e882039b98e0942dc21c0f245254b Subject Alternative Names (related infrastructure — often same operator): - 1188xinpujing.com - 777xinpujing.cc - hg0088.team - hg0088.world - hg0099.mom - hg0404.org - hg0799.org - hg09e.com - hg1919.co - hg3434.org - hg361.net - hg448.app - hg54444.net - hg555g.app - hg5588j.com ... +83 more ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-19 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-27 14:12:23 UTC (by PhishDestroy tracker) Last verified: 2026-06-28 08:20:34 UTC Neutralised: 2026-06-27 18:17:01 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f08fe-3572-759c-b638-c112be688f7a/ Wayback Machine: https://web.archive.org/web/*/m.1188xinpujing.com crt.sh CT logs: https://crt.sh/?q=%25.m.1188xinpujing.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=m.1188xinpujing.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/m.1188xinpujing.com URLhaus: https://urlhaus.abuse.ch/host/m.1188xinpujing.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-27 14:16:05 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, m.1188xinpujing.com, is flagged as a high-risk generic phishing site designed to impersonate the Grand Lisboa casino brand. The page title, "澳门新葡京娱乐城-中国官方网站-Grand Lisboa," explicitly mimics the official branding of the Macau-based casino operator, suggesting an intent to deceive users into submitting login credentials, financial details, or personal information under false pretenses. No specific drainer kit signatures have been identified in initial scans, but the domain exhibits characteristics consistent with credential harvesting and financial fraud campaigns targeting Chinese-speaking users. Analysis indicates the following technical indicators: VirusTotal detection ratio of 12/95 security vendors, with multiple engines classifying the domain as phishing or malicious. The domain was registered through NameSilo, LLC on June 19, 2026, a future date that may indicate fraudulent or manipulated registration data. It currently resolves to the IP address 19.200.8.105, which has not been widely blocklisted but is associated with other suspicious domains in recent threat intelligence feeds. The SSL certificate is issued by Let's Encrypt, a common tactic among threat actors to lend superficial legitimacy to phishing infrastructure. Google Safe Browsing (GSB) status is not explicitly provided, but the domain remains active and unblocked in many enterprise security stacks. As of the latest assessment, m.1188xinpujing.com remains active and continues to host phishing content. Immediate response actions should include blocking the domain and its associated IP (19.200.8.105) at the network perimeter, as well as deploying endpoint protection rules to prevent user access. Organizations are advised to monitor for credential reuse or unauthorized transactions linked to this campaign, particularly in regions where Grand Lisboa operates. The remaining risk is classified as high due to the domain's active status, brand impersonation, and potential for financial or identity theft. Users who may have interacted with the site should be directed to reset credentials and enable multi-factor authentication on all associated accounts. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: cebe0cfd0251581c08f76272b1b12643 TLS cert SHA-256: d52a826672e01bd432fb2a74e7471439262e882039b98e0942dc21c0f245254b ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/m.1188xinpujing.com/ JSON API: https://api.destroy.tools/v1/check?domain=m.1188xinpujing.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 170,941 domains (13,575 alive under monitoring, 156,953 confirmed takedowns/dead). Site: https://phishdestroy.io