# PhishDestroy threat dossier — practical-broccoli-839907.framer.app ================================================================ Fetched: 2026-07-13 14:18:38 UTC Canonical: https://phishdestroy.io/domain/practical-broccoli-839907.framer.app/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 19/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, BitDefender, Chong Lua Dao, Cluster25, CyRadar, ESET, Emsisoft, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, LevelBlue, Lionic, Netcraft, OpenPhish, Sophos, VIPRE, Webroot URLQuery: 2 detections Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 31.43.160.6 (NL, Amsterdam) ASN: AS16509 Amazon.com, Inc. Hosting org: Framer B.V Registrar: Framer Nameservers: NS_NOT_FOUND Page title: Site Not Found | Framer HTTP response: 404 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YE1 Expires: 2026-09-03 Status: INVALID chain Fingerprint: b20f76f2873fb387a35bcd34f23d09529684b24bcac38ebad5e5492a22dd0c84 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-07-12 13:36:54 UTC (by PhishDestroy tracker) First reported: 2026-07-12 20:50:37 UTC (abuse notice filed) Last verified: 2026-07-13 12:20:40 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f561d-5293-701f-87ec-a3321d18f9fc/ URLQuery: https://urlquery.net/report/e265322a-84a2-431a-a0fb-29ef964a3be1 Wayback Machine: https://web.archive.org/web/*/practical-broccoli-839907.framer.app crt.sh CT logs: https://crt.sh/?q=%25.practical-broccoli-839907.framer.app Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=practical-broccoli-839907.framer.app AlienVault OTX: https://otx.alienvault.com/indicator/domain/practical-broccoli-839907.framer.app URLhaus: https://urlhaus.abuse.ch/host/practical-broccoli-839907.framer.app/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-13 00:15:34 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] Analysis of the domain practical-broccoli-839907.framer.app indicates active phishing infrastructure despite its current HTTP 404 response and 'Site Not Found' page title. The domain is hosted on Framer Sites, a legitimate platform frequently abused for phishing due to its ease of deployment and free SSL certificates. Infrastructure reveals the use of React, HSTS, and HTTP/3, suggesting a modern frontend framework likely intended to mimic legitimate services. The domain resolves to IP address 31.43.160.6, associated with Framer B.V. in the Netherlands, a known hosting provider for both legitimate and malicious content. Security blocklists confirm malicious classification, with PhishDestroy currently blocking the domain. VirusTotal reports 19 of 95 security vendors flagging the domain, though the specific nature of the phishing content remains unconfirmed due to the 404 status. The SSL certificate, issued by Let's Encrypt (YE1), is standard for Framer-hosted sites and does not inherently indicate malicious intent, though it provides encryption commonly exploited by threat actors. No nameservers are currently detected, which may indicate temporary misconfiguration or deliberate obfuscation. The domain's registration through Framer suggests rapid deployment, a tactic often used in phishing campaigns to evade detection before takedown. While the exact phishing lure is not visible due to the 404 error, the combination of hosting platform, blocklist presence, and vendor detections strongly supports classification as active phishing infrastructure. Defenders should treat this domain as high-risk and implement blocking at network and endpoint levels. Monitoring for changes in HTTP status or page content is recommended, as the infrastructure may be reactivated with malicious content. The absence of visible phishing material at this time does not reduce the risk, given the domain's confirmed malicious classification and active status. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260712-052C76 TLS cert SHA-256: b20f76f2873fb387a35bcd34f23d09529684b24bcac38ebad5e5492a22dd0c84 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/practical-broccoli-839907.framer.app/ JSON API: https://api.destroy.tools/v1/check?domain=practical-broccoli-839907.framer.app Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,162 domains (49,853 alive under monitoring, 128,309 confirmed takedowns/dead). Site: https://phishdestroy.io