# PhishDestroy threat dossier — rainbet.co.com ================================================================ Fetched: 2026-07-05 17:11:42 UTC Canonical: https://phishdestroy.io/domain/rainbet.co.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 90/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 2/91 security vendors flagged this domain Flagging vendors: ChainPatrol, alphaMountain.ai Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 104.21.3.41 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: Moniker Online Services LLC Nameservers: ["ns1.nic.co.com", "ns2.nic.co.com", "ns3.nic.co.com", "ns4.nic.co.com"] Page title: Rainbet Casino - Let It Rain Wins in Australia ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-09-10 Status: INVALID chain Fingerprint: d0187a75f5f8345bde12986bc1e3ab2c906c2e4bbcefd82ee314e339d13e878c ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-07-04 12:27:03 UTC (by PhishDestroy tracker) Last verified: 2026-07-05 16:20:35 UTC Neutralised: 2026-07-04 18:17:26 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f2ca9-bda4-71f5-95ee-19ab77c51c9d/ Wayback Machine: https://web.archive.org/web/*/rainbet.co.com crt.sh CT logs: https://crt.sh/?q=%25.rainbet.co.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=rainbet.co.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/rainbet.co.com URLhaus: https://urlhaus.abuse.ch/host/rainbet.co.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-04 13:35:18 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, rainbet.co.com, is identified as a confirmed fake casino phishing site actively impersonating the legitimate Rainbet brand. Analysis indicates the site is designed to deceive users in Australia by presenting fraudulent gambling opportunities under the guise of a trusted casino platform. The threat type is classified as brand impersonation with financial fraud intent, targeting victims through misleading promotions and fake login portals. Infrastructure analysis reveals the domain is hosted on IP address 104.21.3.41 and utilizes Cloudflare for content delivery and protection, a common tactic among phishing sites to obscure their true origin. The site is built on WordPress with PHP and MySQL backend components, alongside jQuery and Cloudflare Browser Insights for enhanced interactivity. Security vendors on VirusTotal have flagged this domain, with 2 out of 95 engines detecting malicious activity. The SSL certificate is issued by Google Trust Services, providing a false sense of legitimacy. No registrar details or domain creation date were provided in the initial data, but the use of Cloudflare and the presence of HTTP/3 further complicate attribution and takedown efforts. The site remains active as of the latest assessment, posing a high risk to users who may be lured into providing personal or financial information. Recommendations include immediate blocking of the domain and IP address within enterprise and consumer security solutions. Users should be educated to recognize phishing indicators, such as mismatched URLs, unsolicited gambling offers, and requests for sensitive data. Financial institutions and gambling regulators in Australia are advised to issue alerts to their customers regarding this fraudulent operation. Monitoring for additional domains with similar infrastructure or naming patterns is strongly recommended to preempt further phishing campaigns. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 3dd216b4c6baec21a0181a7c99f069f2 TLS cert SHA-256: d0187a75f5f8345bde12986bc1e3ab2c906c2e4bbcefd82ee314e339d13e878c ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/rainbet.co.com/ JSON API: https://api.destroy.tools/v1/check?domain=rainbet.co.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,934 domains (13,481 alive under monitoring, 160,565 confirmed takedowns/dead). Site: https://phishdestroy.io