# PhishDestroy threat dossier — m.padisahbetadres.live ================================================================ Fetched: 2026-07-15 15:47:59 UTC Canonical: https://phishdestroy.io/domain/m.padisahbetadres.live/ ## VERDICT ---------------------------------------------------------------- HIGH THREAT — malicious activity confirmed Composite threat score: 64/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 8/91 security vendors flagged this domain Flagging vendors: BitDefender, Forcepoint ThreatSeeker, Fortinet, G-Data, Kaspersky, OpenPhish, SOCRadar, Sophos Public blocklists: listed on 2 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.67.160.92 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: REGISTRAR_NOT_FOUND Nameservers: NS_NOT_FOUND ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-07-15 15:29:14 UTC (by PhishDestroy tracker) Last verified: 2026-07-15 16:30:03 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f65f6-4822-744f-91bc-711143273042/ Wayback Machine: https://web.archive.org/web/*/m.padisahbetadres.live crt.sh CT logs: https://crt.sh/?q=%25.m.padisahbetadres.live Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=m.padisahbetadres.live AlienVault OTX: https://otx.alienvault.com/indicator/domain/m.padisahbetadres.live URLhaus: https://urlhaus.abuse.ch/host/m.padisahbetadres.live/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-15 15:40:42 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, m.padisahbetadres.live, is flagged as an active phishing endpoint targeting user credentials. Infrastructure analysis reveals it resolves to IP address 172.67.160.92, a Cloudflare proxy node commonly used to mask origin servers. No authoritative nameservers are currently configured, which may indicate a misconfigured or rapidly deployed phishing kit. Eight security vendors on VirusTotal have detected malicious activity associated with this domain, though the specific payload or brand impersonation remains unconfirmed. The absence of nameserver records suggests either an incomplete deployment or an attempt to evade DNS-based detection. Defenders should treat this domain as high-risk and block it at the network level. Further investigation should include monitoring for related subdomains or IPs, checking for SSL certificate associations, and reviewing proxy logs for connections to 172.67.160.92. Given the lack of nameserver data, passive DNS queries may yield limited results; active scanning or sinkholing could provide additional context on the campaign's scope. ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/m.padisahbetadres.live/ JSON API: https://api.destroy.tools/v1/check?domain=m.padisahbetadres.live Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 179,201 domains (50,731 alive under monitoring, 128,470 confirmed takedowns/dead). Site: https://phishdestroy.io