# PhishDestroy threat dossier — public-bitgget-login.pages.dev
================================================================

Fetched:   2026-04-25 08:08:57 UTC
Canonical: https://phishdestroy.io/domain/public-bitgget-login.pages.dev/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 98/100 (PhishDestroy scoring — see methodology below)
Scam classification: Credential Phishing
Targeted brand: Bitget

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      3/94 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, Fortinet, LevelBlue

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      188.114.96.3 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     CloudFlare, Inc.
Registrar:       Cloudflare, Inc.
Nameservers:     clark.ns.cloudflare.com, jessica.ns.cloudflare.com
Registered:      2026-04-14
Page title:      Bitget Login: Advanced Security & User Guide
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WE1
Expires:    2026-07-08
Status:     INVALID chain
Fingerprint: 8fbc6a0056efd3f664195abe62ac06e8e66d8aab868b8ab03fa7d31776522696

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-14 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-14 19:51:53 UTC (by PhishDestroy tracker)
Last verified:     2026-04-22 19:40:15 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019d8ce7-4827-73aa-b611-bddc03164b95/
Wayback Machine:  https://web.archive.org/web/*/public-bitgget-login.pages.dev
crt.sh CT logs:   https://crt.sh/?q=%25.public-bitgget-login.pages.dev
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=public-bitgget-login.pages.dev
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/public-bitgget-login.pages.dev
URLhaus:          https://urlhaus.abuse.ch/host/public-bitgget-login.pages.dev/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-14 19:52:47 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies public-bitgget-login.pages.dev as a high-risk Bitget brand impersonation deployed as a credential harvesting portal. The domain masquerades as Bitget’s official login interface under the title 'Bitget Login: Advanced Security & User Guide,' tricking users into submitting credentials under the guise of enhanced security verification. This active campaign leverages Cloudflare Pages infrastructure and Google Trust Services SSL to enhance credibility, while resolving to IP 188.114.96.3 via Cloudflare’s reverse proxy network. The threat is classified as brand impersonation due to its deliberate mimicry of Bitget’s branding, login workflow, and terminology, with the intent to harvest user login credentials for unauthorized access to cryptocurrency exchange accounts.  This domain was flagged by 3 out of 95 VirusTotal security vendors and is currently active despite detection efforts. It is registered through Cloudflare, Inc., and hosted on Cloudflare Pages, which enables rapid deployment and evasion of traditional takedown mechanisms. The SSL certificate is issued by Google Trust Services, further reinforcing user trust and reducing suspicion. While the exact registration date is not publicly disclosed, the domain remains unlisted on major blocklists, allowing continued operation with minimal interference. Trust scores are compromised due to the use of legitimate hosting and certificate authorities, making detection dependent on behavioral analysis and signature-based engines.  Mitigation for this threat requires immediate user awareness and technical controls. Users should avoid clicking links from unsolicited emails or messages referencing 'Bitget Advanced Security' or similar prompts. Always navigate directly to the official Bitget website via verified bookmarks or search engines. Organizations should implement DNS filtering with real-time threat intelligence feeds to block access to this domain and similar impersonations. Additionally, Bitget users should enable two-factor authentication (2FA) with app-based or hardware tokens, and report any suspicious login attempts to Bitget support. Security teams should monitor for credentials exposed in phishing campaigns and conduct user education on recognizing brand impersonation tactics, particularly those exploiting legitimate cloud hosting services.

## EVIDENCE HASHES
----------------------------------------------------------------
TLS cert SHA-256:      8fbc6a0056efd3f664195abe62ac06e8e66d8aab868b8ab03fa7d31776522696

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/public-bitgget-login.pages.dev/
JSON API:          https://api.destroy.tools/v1/check?domain=public-bitgget-login.pages.dev
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io