# PhishDestroy threat dossier — pp99990009999.duckdns.org ================================================================ Fetched: 2026-07-05 04:52:58 UTC Canonical: https://phishdestroy.io/domain/pp99990009999.duckdns.org/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 88/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 4/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 7/91 security vendors flagged this domain Flagging vendors: BitDefender, Emsisoft, Fortinet, G-Data, Kaspersky, Netcraft, Webroot Public blocklists: listed on 2 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 64.89.160.131 (LU, Schieren) ASN: AS205759 Ghosty Networks LLC Hosting org: Ghosty Networks LLC Registrar: DuckDNS Nameservers: NS_NOT_FOUND Page title: Garanti BBVA HTTP response: 200 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-07-05 02:21:51 UTC (by PhishDestroy tracker) Last verified: 2026-07-05 06:20:16 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f2fa6-1d49-72d9-bd7a-eb022f647fc2/ Wayback Machine: https://web.archive.org/web/*/pp99990009999.duckdns.org crt.sh CT logs: https://crt.sh/?q=%25.pp99990009999.duckdns.org Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=pp99990009999.duckdns.org AlienVault OTX: https://otx.alienvault.com/indicator/domain/pp99990009999.duckdns.org URLhaus: https://urlhaus.abuse.ch/host/pp99990009999.duckdns.org/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-05 02:25:57 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The domain pp99990009999.duckdns.org has been identified as a credential theft threat, actively impersonating the financial institution Garanti BBVA. This domain is currently active and poses an elevated risk to potential victims who may be misled into providing sensitive information. Infrastructure analysis indicates that the domain resolves to the IP address 64.89.160.131. It is registered through Let's Encrypt, which is known for providing free SSL certificates. The domain has been flagged by 7 of 95 VirusTotal vendors, indicating a notable level of concern among security providers. There are currently no entries found on major blocklists, suggesting that it may not yet have been widely recognized as a threat by the broader security community. The creation date of the domain is not provided in the available data, but its use of an SSL certificate from Let's Encrypt suggests it may have been created recently to appear legitimate to unsuspecting users. Given the current status of pp99990009999.duckdns.org, it is essential for organizations and individuals to exercise caution. Users are advised to avoid engaging with this domain and to report any suspicious communications that may direct them to it. Additionally, regular monitoring for updates on this domain and others like it is recommended, along with the implementation of security measures such as multi-factor authentication to protect sensitive accounts against potential credential theft. [Updates since narrative was generated:] - Public blocklists: now listed on 2 feeds ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 07cb5ef966e90c557cd6fb880b9bbb4e ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/pp99990009999.duckdns.org/ JSON API: https://api.destroy.tools/v1/check?domain=pp99990009999.duckdns.org Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,839 domains (12,676 alive under monitoring, 161,290 confirmed takedowns/dead). Site: https://phishdestroy.io