# PhishDestroy threat dossier — of-whatapp.top ================================================================ Fetched: 2026-06-30 11:03:47 UTC Canonical: https://phishdestroy.io/domain/of-whatapp.top/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 68/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 21/91 security vendors flagged this domain Flagging vendors: Criminal IP, alphaMountain.ai, BitDefender, Chong Lua Dao, Cluster25, CRDF, CyRadar, ESET, Emsisoft, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, LevelBlue, Lionic, Netcraft, OpenPhish, SOCRadar, Sophos, Webroot Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 154.206.233.25 (HK, Tung Chung) ASN: ASAS9294 GNETINC-AS-AP - GNET INC., US Hosting org: AS9294 GNET INC. Registrar: Vantage of Convergence Chengdu Technology Co., Ltd. Nameservers: ns1.kenpains.com, ns2.kenpains.com Registered: 2026-06-28 Expires: 2027-06-28 Page title: WhatsApp网页版 - 即时通讯, ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR2 Expires: 2026-09-26 Status: INVALID chain Fingerprint: 7cea9beeb1c62752823c17d7592515a337b35a7f03ddd085ba1c2c99b3099dac Subject Alternative Names (related infrastructure — often same operator): - alt-whatapp.hl.cn - at-whatapp.hl.cn - co-whatapp.hl.cn - com-whatapp.hl.cn - et-whatapp.hl.cn - fans-whatapp.hl.cn - html-whatapp.hl.cn - icu-whatapp.hl.cn - ime-whatapp.hl.cn - index-whatapp.hl.cn - intl-whatapp.hl.cn - ku-whatapp.hl.cn - kuai-whatapp.hl.cn - mail-whatapp.hl.cn - mo-whatapp.hl.cn ... +28 more ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-28 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-29 15:29:30 UTC (by PhishDestroy tracker) First reported: 2026-06-29 13:37:16 UTC (abuse notice filed) Last verified: 2026-06-30 12:20:35 UTC Neutralised: 2026-06-29 18:17:40 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f1390-eb81-773a-9fc8-eb2b3c976e05/ URLQuery: https://urlquery.net/report/9afa8328-d296-4684-9d30-5cf8ed0bd45e Wayback Machine: https://web.archive.org/web/*/of-whatapp.top crt.sh CT logs: https://crt.sh/?q=%25.of-whatapp.top Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=of-whatapp.top AlienVault OTX: https://otx.alienvault.com/indicator/domain/of-whatapp.top URLhaus: https://urlhaus.abuse.ch/host/of-whatapp.top/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-29 15:34:46 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, of-whatapp.top, is actively engaged in a phishing campaign designed to impersonate the official WhatsApp Web platform. The site presents a fraudulent login interface under the title 'WhatsApp网页版 - 即时通讯,' targeting users who seek to access WhatsApp through a web browser. The objective of this campaign is to deceive victims into entering their credentials, which are subsequently captured by the threat actors for unauthorized access, account takeover, or further malicious activities such as spam propagation or financial fraud. Analysis of the domain infrastructure reveals multiple indicators of malicious intent. The domain was registered on June 28, 2026, through Vantage of Convergence Chengdu Technology Co., Ltd., a registrar frequently associated with high-risk domains. It resolves to the IP address 154.206.233.25, which has been linked to other phishing and fraudulent activities. Detection engines on VirusTotal flag the domain as malicious, with 13 out of 95 security vendors marking it as a phishing threat. Additionally, the domain employs a Let's Encrypt SSL certificate, which, while providing encryption, is commonly abused by threat actors to lend a false sense of legitimacy to phishing sites. Users who have visited of-whatapp.top or entered credentials on the site should take immediate action to mitigate potential risks. First, any credentials entered on the site should be considered compromised and changed immediately across all platforms where the same credentials may have been reused. Affected users are advised to enable multi-factor authentication on their accounts to prevent unauthorized access. Additionally, monitoring for unusual activity, such as unauthorized messages or login attempts, is recommended. Organizations and individuals should block the domain and its associated IP address (154.206.233.25) at the network level to prevent further exposure. Reporting the domain to relevant security teams or threat intelligence platforms can aid in broader mitigation efforts. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260629-C8744C Favicon MD5: b70e6078004aeb5146c635cc4c8af761 TLS cert SHA-256: 7cea9beeb1c62752823c17d7592515a337b35a7f03ddd085ba1c2c99b3099dac ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/of-whatapp.top/ JSON API: https://api.destroy.tools/v1/check?domain=of-whatapp.top Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 172,677 domains (12,755 alive under monitoring, 159,332 confirmed takedowns/dead). Site: https://phishdestroy.io