# PhishDestroy threat dossier — platform.rmkcapital.online ================================================================ Fetched: 2026-05-31 04:59:57 UTC Canonical: https://phishdestroy.io/domain/platform.rmkcapital.online/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 11/94 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, CRDF, CyRadar, Fortinet, G-Data, Gridinsoft, LevelBlue, Lionic, Sophos Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 103.155.93.207 (MY, Kuala Lumpur) ASN: AS45839 Shinjiru Technology Sdn Bhd Hosting org: Shinjiru Technology Sdn Bhd Registrar: NameSilo, LLC !!! REGISTRAR INTEGRITY ALERT — NameSilo !!! NameSilo is a registrar documented by PhishDestroy as (1) publicly lying about received abuse reports, (2) shielding a $20M+ Monero-theft operation (xmrwallet.com) for 10 continuous years, and (3) retaliating against PhishDestroy by getting our X/Twitter account @Phish_Destroy banned after we published the evidence. Researchers/victims must ALWAYS CC compliance@icann.org on every abuse ticket — NameSilo has a track record of later claiming reports were never received. Primary sources: https://phishdestroy.io/namesilo-killed-our-twitter https://phishdestroy.io/xmrwallet-namesilo-exposed Nameservers: anastasia.ns.cloudflare.com, lloyd.ns.cloudflare.com Registered: 2026-03-13 Page title: Webtrader ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Sectigo Limited / Sectigo Public Server Authentication CA DV R36 Expires: 2026-09-27 Status: INVALID chain Fingerprint: 29a7cb9362951c0f934caad1e0d959e348ac45e7a42e3987584d594c43643984 Subject Alternative Names (related infrastructure — often same operator): - www.platform.rmkcapital.online ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-03-13 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-15 16:41:47 UTC (by PhishDestroy tracker) First reported: 2026-04-15 13:46:18 UTC (abuse notice filed) Last verified: 2026-05-31 05:20:36 UTC Neutralised: 2026-04-23 02:14:14 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019d915e-a2d6-77a1-a4bb-af012c1d9369/ URLQuery: https://urlquery.net/report/6a68f1b6-de69-40df-aa52-2952619b73ef Wayback Machine: https://web.archive.org/web/*/platform.rmkcapital.online crt.sh CT logs: https://crt.sh/?q=%25.platform.rmkcapital.online Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=platform.rmkcapital.online AlienVault OTX: https://otx.alienvault.com/indicator/domain/platform.rmkcapital.online URLhaus: https://urlhaus.abuse.ch/host/platform.rmkcapital.online/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-15 16:42:52 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies platform.rmkcapital.online as a generic phishing domain impersonating Webtrader, a trading platform interface, through a fraudulent web interface designed to harvest credentials or financial data. The page title 'Webtrader' suggests an attempt to mimic legitimate trading dashboards, likely leveraging social engineering to trick users into entering sensitive account details. No known drainer kit signatures were detected in available intelligence at the time of analysis, but the presence of a trading interface implies a high likelihood of credential theft or financial fraud operations. This domain was flagged with a generic phishing threat vector and remains under investigation despite 0 detections on VirusTotal (0/95). It was registered through NameSilo, LLC, resolved to IP 103.155.93.207, and utilizes an SSL certificate issued by Sectigo Limited. The domain was created on March 13, 2026, which indicates recent registration, and it is currently active and unblocked by Google Safe Browsing (GSB status: unflagged, blocklist count: 0). These technical indicators highlight a newly active but operationally stealthy threat actor leveraging fresh infrastructure to avoid immediate detection. As of the latest scan, platform.rmkcapital.online remains active with no active takedown or blocklist inclusion. Response actions include ongoing monitoring and intelligence enrichment, but the current risk level remains under investigation due to the absence of detections and low blocklist presence. Users are advised to avoid interacting with this domain, verify all financial platforms via official channels, and report any encountered instances to threat intelligence platforms. The lack of detection suggests this campaign may be in early stages or employing evasion techniques, maintaining a latent risk to potential victims. [Updates since narrative was generated:] - VirusTotal detections: now 11/94 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260415-FF1D7A Favicon MD5: e3f9ca736987334d430e8d4e024605e8 TLS cert SHA-256: 29a7cb9362951c0f934caad1e0d959e348ac45e7a42e3987584d594c43643984 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/platform.rmkcapital.online/ JSON API: https://api.destroy.tools/v1/check?domain=platform.rmkcapital.online Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 156,161 domains (38,595 alive under monitoring, 117,071 confirmed takedowns/dead). Site: https://phishdestroy.io