# PhishDestroy threat dossier — play-rollbit.org ================================================================ Fetched: 2026-07-13 02:19:16 UTC Canonical: https://phishdestroy.io/domain/play-rollbit.org/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 7/91 security vendors flagged this domain Flagging vendors: BitDefender, CyRadar, Forcepoint ThreatSeeker, G-Data, Kaspersky, SOCRadar, Sophos URLQuery: 2 detections AlienVault OTX: 1 pulses (threat-intel feed mentions) Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.96.3 (US, San Francisco) ASN: AS13335 Cloudflare, Inc. Hosting org: AS13335 Cloudflare, Inc. Registrar: Spaceship, Inc. Nameservers: carla.ns.cloudflare.com, derek.ns.cloudflare.com Registered: 2026-05-28 Expires: 2027-05-28 Page title: Rollbit | 100% Welcome Bonus + Crypto Rewards Play Now HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E8 Expires: 2026-08-26 Status: INVALID chain Fingerprint: 37ce598b5f3addc25b3d2c757d852515670cb3a71adc9b42de0e310f7c1194b4 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-28 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-10 14:44:54 UTC (by PhishDestroy tracker) First reported: 2026-07-12 20:47:12 UTC (abuse notice filed) Last verified: 2026-07-13 00:40:25 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f4c0d-f4a1-719c-9fa9-6f4a2ca96247/ URLQuery: https://urlquery.net/report/66a163f0-67c5-4261-9cc0-3a835fbd6aad Wayback Machine: https://web.archive.org/web/*/play-rollbit.org crt.sh CT logs: https://crt.sh/?q=%25.play-rollbit.org Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=play-rollbit.org AlienVault OTX: https://otx.alienvault.com/indicator/domain/play-rollbit.org URLhaus: https://urlhaus.abuse.ch/host/play-rollbit.org/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-10 14:55:48 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, play-rollbit.org, poses as a legitimate cryptocurrency gambling platform to deceive users into disclosing sensitive account credentials or depositing funds. The site mimics Rollbit, a known crypto gaming service, by replicating its branding, promotional offers such as a 100% welcome bonus, and reward structures. Unsuspecting visitors may enter login details or transfer cryptocurrency under the false pretense of accessing exclusive bonuses, only to have their assets stolen or accounts compromised by threat actors. Analysis indicates the domain was registered on May 28, 2026, through the registrar Spaceship, Inc. It currently resolves to the IP address 188.114.96.3 and holds a Let's Encrypt SSL certificate, which may lend an illusion of legitimacy. Despite its active status and presence in one AlienVault OTX threat intelligence pulse, the domain remains undetected by all 95 security engines on VirusTotal, suggesting either recent deployment or evasion techniques. The page title, 'Rollbit | 100% Welcome Bonus + Crypto Rewards Play Now,' directly mirrors marketing language used by the authentic platform, reinforcing the deception. Users who have visited play-rollbit.org should immediately cease all interaction with the site. If credentials were entered, affected individuals should change passwords on the legitimate Rollbit platform and any other services where the same credentials may have been reused. Monitor financial and cryptocurrency accounts for unauthorized transactions and enable multi-factor authentication where available. Report the incident to relevant security teams or fraud reporting channels to assist in tracking and mitigating the campaign. Avoid clicking on any links or downloading files from unsolicited communications referencing this domain. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260712-602C38 Favicon MD5: ba837530be31259f02385a91ecd9f62d TLS cert SHA-256: 37ce598b5f3addc25b3d2c757d852515670cb3a71adc9b42de0e310f7c1194b4 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/play-rollbit.org/ JSON API: https://api.destroy.tools/v1/check?domain=play-rollbit.org Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,008 domains (49,742 alive under monitoring, 128,266 confirmed takedowns/dead). Site: https://phishdestroy.io