# PhishDestroy threat dossier — portalpeguecredito.online ================================================================ Fetched: 2026-07-04 01:10:17 UTC Canonical: https://phishdestroy.io/domain/portalpeguecredito.online/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 71/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 69.49.241.129 (BR, Vinhedo) Hosting org: AS31898 Oracle Corporation Registrar: Fewmoretaps OU d/b/a Trustname.com !!! REGISTRAR INTEGRITY ALERT — Trustname / Fewmoretaps OU !!! Trustname (IANA #4318) is a shell company declaring EUR 120 annual revenue, 1 employee, negative equity, Belarusian ownership. Explicitly advertises itself as 'bulletproof' in its DNS TXT records. Primary source: https://phishdestroy.io/trustname-bulletproof-exposed Nameservers: ares.trustname.com, ns1.anycastdns.cz, ns2.anycastdns.cz, zeus.trustname.com Registered: 2026-07-02 Expires: 2027-07-02 HTTP response: 406 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-07-02 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-03 02:17:50 UTC (by PhishDestroy tracker) Last verified: 2026-07-04 03:00:14 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f2555-245c-70c8-8f17-debcab24a842/ Wayback Machine: https://web.archive.org/web/*/portalpeguecredito.online crt.sh CT logs: https://crt.sh/?q=%25.portalpeguecredito.online Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=portalpeguecredito.online AlienVault OTX: https://otx.alienvault.com/indicator/domain/portalpeguecredito.online URLhaus: https://urlhaus.abuse.ch/host/portalpeguecredito.online/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-03 02:45:29 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, portalpeguecredito.online, is actively operating as a fake loan phishing site designed to deceive users into submitting sensitive personal and financial information. Analysis indicates the site mimics legitimate credit or loan services, presenting itself as a trusted portal to lure victims. Once users input their details, such as identification numbers, bank account information, or credit card data, the attackers harvest this information for fraudulent activities, including identity theft, unauthorized transactions, or resale on dark web marketplaces. The threat is particularly insidious as it exploits individuals seeking financial assistance, often during vulnerable moments, making it a high-risk scam with immediate real-world consequences. Infrastructure analysis reveals concrete indicators of malicious intent. The domain was registered on July 02, 2026, through Fewmoretaps OU d/b/a Trustname.com, a registrar frequently associated with high-risk or fraudulent domains. It currently resolves to the IP address 69.49.241.129, which has been linked to other suspicious or confirmed phishing sites in recent threat intelligence reports. On VirusTotal, only 1 out of 95 security vendors flags this domain as malicious, suggesting it may evade detection by many standard security tools. The site uses a Let's Encrypt SSL certificate, which, while providing basic encryption, is commonly exploited by threat actors to create a false sense of legitimacy. The combination of a recently registered domain, low detection rates, and a registrar with a history of hosting fraudulent sites underscores the elevated risk posed by this infrastructure. If you or someone you know has visited portalpeguecredito.online and entered any personal or financial information, immediate action is required to mitigate potential damage. First, cease all interaction with the site and do not respond to any follow-up communications, such as emails, calls, or messages, which may attempt to further exploit the compromised data. Contact your financial institution to report the incident and request a review of recent transactions for any signs of unauthorized activity. Place a fraud alert or credit freeze with major credit bureaus to prevent new accounts from being opened in your name. Monitor all financial statements, credit reports, and online accounts for unusual activity over the next several months. If sensitive information such as government-issued IDs or passwords was shared, consider updating passwords and enabling multi-factor authentication on critical accounts. Report the incident to relevant cybercrime authorities or consumer protection agencies to aid in tracking and shutting down the fraudulent operation. ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/portalpeguecredito.online/ JSON API: https://api.destroy.tools/v1/check?domain=portalpeguecredito.online Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,417 domains (12,388 alive under monitoring, 161,211 confirmed takedowns/dead). Site: https://phishdestroy.io