# PhishDestroy threat dossier — raainbet.de ================================================================ Fetched: 2026-07-16 13:13:48 UTC Canonical: https://phishdestroy.io/domain/raainbet.de/ ## VERDICT ---------------------------------------------------------------- ACTIVE THREAT — multiple warning signs Composite threat score: 40/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 5/91 security vendors flagged this domain Flagging vendors: ChainPatrol, alphaMountain.ai, Forcepoint ThreatSeeker, Fortinet, Kaspersky ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 209.99.186.25 Registrar: REGISTRAR_NOT_FOUND Nameservers: chip.ns.cloudflare.com, destiny.ns.cloudflare.com ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E7 Expires: 2026-08-04 Status: INVALID chain Fingerprint: 4404554842f8eb907025f23e9f360ae4940ebea0aa365ef0953be08b9b93ce7e Subject Alternative Names (related infrastructure — often same operator): - www.raainbet.de ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-07-16 12:59:42 UTC (by PhishDestroy tracker) Last verified: 2026-07-16 15:00:14 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f6a93-e4e9-723e-821c-82f27e84e44f/ Wayback Machine: https://web.archive.org/web/*/raainbet.de crt.sh CT logs: https://crt.sh/?q=%25.raainbet.de Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=raainbet.de AlienVault OTX: https://otx.alienvault.com/indicator/domain/raainbet.de URLhaus: https://urlhaus.abuse.ch/host/raainbet.de/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-16 13:01:10 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The domain raainbet.de is currently resolved to the IP address 209.99.186.25 and is served by Cloudflare name servers chip.ns.cloudflare.com and destiny.ns.cloudflare.com. VirusTotal has recorded detections from five of ninety‑one scanning engines, indicating that at least a subset of security products consider the domain malicious. The threat classification in the intelligence set is generic_phishing, and the status is marked active as of the report date. No additional context such as target brand, page content, or hosting infrastructure beyond the IP and name servers is available, so the full scope of the phishing campaign cannot be fully mapped. Defenders should block or monitor outbound connections to 209.99.186.25 and add raainbet.de to domain deny lists. Network sensors should be tuned to detect HTTP or SMTP traffic that includes this domain. Because the domain is hosted behind Cloudflare, any takedown request must be directed to the Cloudflare abuse contacts, referencing the observed detections. Continuous re‑evaluation is advised, as the detection count may change and further analysis of the hosted content could reveal additional indicators. ## EVIDENCE HASHES ---------------------------------------------------------------- TLS cert SHA-256: 4404554842f8eb907025f23e9f360ae4940ebea0aa365ef0953be08b9b93ce7e ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/raainbet.de/ JSON API: https://api.destroy.tools/v1/check?domain=raainbet.de Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 179,451 domains (50,925 alive under monitoring, 128,526 confirmed takedowns/dead). Site: https://phishdestroy.io