# PhishDestroy threat dossier — rollbitcasino.bet ================================================================ Fetched: 2026-06-08 02:23:26 UTC Canonical: https://phishdestroy.io/domain/rollbitcasino.bet/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Credential Phishing Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 2/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/91 security vendors flagged this domain Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.67.133.103 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: Dynadot Inc Nameservers: ["carter.ns.cloudflare.com", "chloe.ns.cloudflare.com"] Registered: 2026-05-01 Expires: 2026-10-06 Page title: Rollbit — Login, 100% Up To C$250 + 150 Free Spins HTTP response: 404 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-01 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-01 15:37:37 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-05-01 12:40:49 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-06-02 17:20:40 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019de388-c539-71d8-838f-6a5e600823f2/ URLQuery: https://urlquery.net/report/8502722e-6c66-4927-9e71-dd8c20ef409d Wayback Machine: https://web.archive.org/web/*/rollbitcasino.bet crt.sh CT logs: https://crt.sh/?q=%25.rollbitcasino.bet Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=rollbitcasino.bet AlienVault OTX: https://otx.alienvault.com/indicator/domain/rollbitcasino.bet URLhaus: https://urlhaus.abuse.ch/host/rollbitcasino.bet/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-01 15:39:51 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies rollbitcasino.bet as a crypto drainer impersonating the legitimate Rollbit brand, designed to trick users into connecting their cryptocurrency wallets and siphoning funds. The domain leverages a spoofed interface mimicking Rollbit’s official platform to deceive victims into authorizing malicious transactions. No drainer kit details are publicly available at this time, but the site’s infrastructure and recent creation strongly suggest active deployment of phishing tactics targeting crypto users. Technical indicators for rollbitcasino.bet reveal several red flags: the domain was created on October 06, 2025, a suspiciously recent date indicating opportunistic domain squatting. It resolves to IP address 172.67.133.103, hosted on Cloudflare infrastructure, and is registered through Dynadot Inc, a domain registrar known for low-cost, high-volume registrations that are frequently abused in phishing campaigns. Despite zero detections on VirusTotal (0/95), the site holds a valid SSL certificate issued by Google Trust Services, which can lend false credibility to visitors. These factors collectively suggest an emerging but unflagged threat with potential for rapid escalation as awareness spreads. No current blocklist entries were detected in available threat intelligence feeds. As of this assessment, rollbitcasino.bet remains active and unblocked by most security systems due to its newness and lack of signature-based detection. PhishDestroy has escalated this domain for investigation under the unique seed 1897c7, but users should treat it as hostile immediately. The risk level is currently marked as 'under_investigation'—a status that often precedes confirmation of malicious intent. Until definitive evidence of compromise or domain takedown is confirmed, users are strongly advised to avoid visiting the site, refrain from interacting with any wallet connection prompts, and report the domain to their security tools and relevant authorities. Remaining risk includes potential zero-day drainer deployment and further brand impersonation across similar domains. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260501-E15FE2 Favicon MD5: 2638d61a96173629d966b80c77c46d6f ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/rollbitcasino.bet/ JSON API: https://api.destroy.tools/v1/check?domain=rollbitcasino.bet Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 157,669 domains (41,888 alive under monitoring, 114,599 confirmed takedowns/dead). Site: https://phishdestroy.io