# phantom.builders — MALICIOUS

> phantom.builders flagged for active phishing attacks. Learn key details and how to protect yourself from this evolving cyber threat.

## Summary
PhishDestroy identifies phantom.builders as a high-risk phishing domain actively used to deceive users and compromise sensitive information. This generic phishing threat poses significant risks by impersonating legitimate services to harvest credentials or deliver malware, potentially leading to financial loss and identity theft.

The domain phantom.builders was registered recently on February 21, 2026, and has quickly appeared on three prominent security blocklists. Analysis from VirusTotal indicates that 19 out of 95 security vendors currently detect this domain as malicious, confirming its active use in phishing campaigns. Despite these flags, the domain remains operational, highlighting the urgency for heightened vigilance.

Users are strongly advised to avoid interacting with any unsolicited emails or links directing to phantom.builders. Organizations should update email filters and endpoint security measures to block this domain. Individuals should verify website URLs carefully and report any suspicious activity to cybersecurity teams or reporting platforms. Maintaining robust security hygiene is critical to mitigating the risks posed by this active phishing threat.

## Threat Details
- Verdict: MALICIOUS
- Site status: dead (HTTP 403)
- Target brand: Phantom
- Page title: Suspected phishing site | Cloudflare

## Domain Intelligence
- Registered: 2026-02-02 02:09:20
- Registrar: Hosting Concepts B.V. d/b/a Registrar.eu
- Country: CZ
- IP: 172.67.152.66
- IP Country: US
- IP City: San Francisco
- IP Org: AS13335 Cloudflare, Inc.
- Nameservers: ["garret.ns.cloudflare.com", "janet.ns.cloudflare.com"]
- SSL Issuer: Google Trust Services / WE1

## Detection Status
- VirusTotal: 19 vendors flagged
  Vendors: ["ADMINUSLabs", "ChainPatrol", "alphaMountain.ai", "BitDefender", "CRDF", "CyRadar", "ESET", "Forcepoint ThreatSeeker", "Fortinet", "G-Data", "Gridinsoft", "Lionic", "Netcraft", "Seclookup", "SOCRadar", "Sophos", "Trustwave", "VIPRE", "Webroot"]
- Google Safe Browsing: clean
- Blocklists: 2 hits
  Lists: ["PhishDestroy", "MetaMask"]

## Evidence
- Screenshot: https://urlscan.io/screenshots/019c6d1b-b660-767b-9d8a-a402b9ec2db9.png
- Cloudflare Radar: https://radar.cloudflare.com/scan/8cf97a6c-869e-40ec-b41f-4bdc5151ffb8
- PhishDestroy: https://phishdestroy.io/domain/phantom.builders/
- LLM endpoint: https://phishdestroy.io/domain/phantom.builders/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/phantom.builders/
Last updated: 2026-03-19