# PhishDestroy threat dossier — m.padisahbet-2026gir.vip
================================================================

Fetched:   2026-05-15 17:25:53 UTC
Canonical: https://phishdestroy.io/domain/m.padisahbet-2026gir.vip/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      8/95 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, CRDF, Forcepoint ThreatSeeker, G-Data, Gridinsoft, Kaspersky, OpenPhish, SOCRadar
URLQuery:        2 detections
Public blocklists: listed on 1 independent blocklist

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      188.114.96.3
Registrar:       Dynadot Inc
Nameservers:     brenda.ns.cloudflare.com, julian.ns.cloudflare.com
Registered:      2026-05-14
Page title:      Padişahbet Resmi Divan 2026 | Lisanslı Spor Bahis ve Casino Sitesi - Hızlı Üyelik
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E7
Expires:    2026-08-12
Status:     INVALID chain
Fingerprint: a363a893270c7775e1c832ee8faaa11bb8ec96ec6de2449185137ca93fe0ece4
Subject Alternative Names (related infrastructure — often same operator):
  - padisahbet-2026gir.vip

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-05-14 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-05-15 17:42:28 UTC (by PhishDestroy tracker)
First reported:    2026-05-15 14:43:48 UTC (abuse notice filed)
Last verified:     2026-05-15 19:50:03 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019e2c15-e3ce-751c-91ee-a244863801c1/
URLQuery:         https://urlquery.net/report/9ab16ab3-33cc-4ee7-bd8d-8d845ff12ecb
Wayback Machine:  https://web.archive.org/web/*/m.padisahbet-2026gir.vip
crt.sh CT logs:   https://crt.sh/?q=%25.m.padisahbet-2026gir.vip
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=m.padisahbet-2026gir.vip
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/m.padisahbet-2026gir.vip
URLhaus:          https://urlhaus.abuse.ch/host/m.padisahbet-2026gir.vip/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-05-15 17:43:08 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies m.padisahbet-2026gir.vip as an active romance-scamming site designed to trick visitors into fake online relationships for money. The page masquerades as a betting portal under the guise of a 2026 event to lure users who click suspicious links or ads. Once on the page, visitors are prompted to create accounts and deposit funds, with no real betting functionality ever delivered. All engagement is engineered to extract payment details or personal data for identity theft. This domain was flagged by OpenPhish and appears on one additional security blocklist, confirming its malicious intent.

This domain was registered on May 14 2026 through Dynadot Inc and hosts its content behind a Let’s Encrypt SSL certificate to appear trustworthy. VirusTotal analysis shows that 8 of 95 participating security vendors have already labeled the domain as malicious, while the site resolves to IP address 188.114.96.3 which is associated with fraudulent infrastructure. The combination of a fresh registration date, low detection count, and hosting on a known risky IP underlines the elevated threat level.

If you visited m.padisahbet-2026gir.vip, stop any interaction immediately and avoid entering any personal or financial information. Review bank and card statements for unauthorized charges and consider enabling two-factor authentication on important accounts. Run a full antivirus scan and clear browser cache and cookies to remove any lingering tracking scripts. Report the domain to your bank if you entered payment details, and file a complaint with your country’s cybercrime reporting center.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260515-1A7C5C
Favicon MD5:       a149b139de662d7b5bc4997930340dff
TLS cert SHA-256:      a363a893270c7775e1c832ee8faaa11bb8ec96ec6de2449185137ca93fe0ece4

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/m.padisahbet-2026gir.vip/
JSON API:          https://api.destroy.tools/v1/check?domain=m.padisahbet-2026gir.vip
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 149,880 domains (33,190 alive under monitoring, 115,142 confirmed takedowns/dead). Site: https://phishdestroy.io