# PhishDestroy threat dossier — riotkk.com ================================================================ Fetched: 2026-05-06 19:01:08 UTC Canonical: https://phishdestroy.io/domain/riotkk.com/ ## VERDICT ---------------------------------------------------------------- ACTIVE THREAT — multiple warning signs Composite threat score: 46/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 10/95 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, CRDF, CyRadar, Fortinet, G-Data, LevelBlue, Mimecast, SOCRadar, Webroot URLQuery: 2 detections ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 186.2.171.13 (BZ, Belmopan) ASN: AS59692 IQWeb FZ-LLC Hosting org: Iqweb LLC Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED !!! REGISTRAR INTEGRITY ALERT — NiceNIC !!! NiceNIC International: over 90% of its registered domains are associated with illegal content; documented systematic abuse-report non-response. Primary sources: https://phishdestroy.io/nicenic-real https://phishdestroy.io/nicenic-verdict Nameservers: ns01.serverspace.io, ns01.serverspace.io., ns02.serverspace.io, ns02.serverspace.io. Registered: 2026-05-03 Page title: VALORANT VCT Champions Giveaway ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-03 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-06 19:53:16 UTC (by PhishDestroy tracker) First reported: 2026-05-06 16:54:53 UTC (abuse notice filed) Last verified: 2026-05-06 21:25:27 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dfe33-aaa4-76f8-b30c-8845a0cda3df/ URLQuery: https://urlquery.net/report/d5a1d1bb-4229-45d8-938b-3e30b385c7a2 Wayback Machine: https://web.archive.org/web/*/riotkk.com crt.sh CT logs: https://crt.sh/?q=%25.riotkk.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=riotkk.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/riotkk.com URLhaus: https://urlhaus.abuse.ch/host/riotkk.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-06 19:53:38 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies riotkk.com as a live credential-harvesting portal designed to trick visitors into surrendering login credentials. The page masquerades as a legitimate login interface but beams stolen details straight to attackers. Anyone entering email or password on riotkk.com risks immediate account takeover on linked services like Gmail, social media, or corporate platforms. This domain was flagged by 10 out of 95 VirusTotal security vendors and carries a creation date of May 03, 2026, indicating it is a brand-new threat rather than an old recycled scam. It is registered through NICENIC INTERNATIONAL GROUP CO., LIMITED and secured with a Let’s Encrypt SSL certificate to appear trustworthy. The combination of fresh registration and low vendor coverage makes this site especially dangerous for unsuspecting visitors. If you visited riotkk.com and entered any credentials or personal information, change those passwords immediately and enable multi-factor authentication on every linked account. Run a full antivirus scan and monitor accounts for unauthorized access. Report the domain to your IT team or email provider to help block further spread of this campaign. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260506-8BDBBC ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/riotkk.com/ JSON API: https://api.destroy.tools/v1/check?domain=riotkk.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 146,455 domains (59,048 alive under monitoring, 87,113 confirmed takedowns/dead). Site: https://phishdestroy.io