# PhishDestroy threat dossier — t-mobile.bnayqs.top ================================================================ Fetched: 2026-05-21 02:11:12 UTC Canonical: https://phishdestroy.io/domain/t-mobile.bnayqs.top/ ## VERDICT ---------------------------------------------------------------- ACTIVE THREAT — multiple warning signs Composite threat score: 44/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 9/95 security vendors flagged this domain ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.97.3 Registrar: NameSilo, LLC !!! REGISTRAR INTEGRITY ALERT — NameSilo !!! NameSilo is a registrar documented by PhishDestroy as (1) publicly lying about received abuse reports, (2) shielding a $20M+ Monero-theft operation (xmrwallet.com) for 10 continuous years, and (3) retaliating against PhishDestroy by getting our X/Twitter account @Phish_Destroy banned after we published the evidence. Researchers/victims must ALWAYS CC compliance@icann.org on every abuse ticket — NameSilo has a track record of later claiming reports were never received. Primary sources: https://phishdestroy.io/namesilo-killed-our-twitter https://phishdestroy.io/xmrwallet-namesilo-exposed Nameservers: malcolm.ns.cloudflare.com, val.ns.cloudflare.com Registered: 2026-05-20 Page title: Welcome to OpenResty! HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E7 Expires: 2026-08-18 Status: INVALID chain Fingerprint: 6fa17f67aefdf8db4f98a166c32d2784bf5bdfa2a6571273e87c0bb6e72711bb Subject Alternative Names (related infrastructure — often same operator): - bnayqs.top ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-20 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-21 03:14:37 UTC (by PhishDestroy tracker) Last verified: 2026-05-21 04:42:59 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e47e0-f181-70fe-a2bd-3d2d55cc7cb9/ Wayback Machine: https://web.archive.org/web/*/t-mobile.bnayqs.top crt.sh CT logs: https://crt.sh/?q=%25.t-mobile.bnayqs.top Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=t-mobile.bnayqs.top AlienVault OTX: https://otx.alienvault.com/indicator/domain/t-mobile.bnayqs.top URLhaus: https://urlhaus.abuse.ch/host/t-mobile.bnayqs.top/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-21 03:16:07 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy has identified t-mobile.bnayqs.top as an active phishing domain masquerading as a legitimate T-Mobile login portal, specifically designed to harvest sensitive user credentials. The domain employs homograph spoofing techniques, visually mimicking T-Mobile’s official branding to deceive victims into entering their account details. The threat actor behind this campaign leverages social engineering tactics, such as phishing emails or text messages, to direct users to the malicious site under the guise of account verification or billing issues. Once credentials are entered, they are captured by the threat actor for unauthorized access, potential financial fraud, or further exploitation in subsequent attacks. This domain was flagged by PhishDestroy’s automated threat intelligence pipeline, which detected multiple red flags indicative of phishing activity. The domain resolves to IP address 188.114.97.3 and was registered through NameSilo, LLC on May 20, 2026, suggesting a recently established infrastructure likely used for short-lived campaigns. Notably, VirusTotal currently reports 0 detections out of 95 security vendors, indicating that traditional signature-based defenses have not yet identified this threat. The use of a Let’s Encrypt SSL certificate further lends credibility to the domain, as it provides a false sense of security to users checking for HTTPS indicators. Given these indicators, the risk level is currently classified as 'under_investigation' but remains active and poses a significant threat to unsuspecting users. If you have visited t-mobile.bnayqs.top, PhishDestroy recommends taking immediate action to secure your T-Mobile account and personal data. First, change your T-Mobile account password using the official mobile app or website (https://www.t-mobile.com) and enable two-factor authentication (2FA) if not already configured. Next, monitor your account for any unauthorized activity, such as changes to your profile, unauthorized charges, or unfamiliar devices accessing your account. Report the incident to T-Mobile’s fraud department and consider freezing your credit or enrolling in identity theft protection services if you entered sensitive information like your Social Security number or payment details. Finally, scan your devices for malware using reputable antivirus software, as phishing domains like this may also deliver payloads capable of credential theft or surveillance. Stay vigilant and verify the legitimacy of any unexpected login prompts or communications claiming to be from T-Mobile. ## EVIDENCE HASHES ---------------------------------------------------------------- TLS cert SHA-256: 6fa17f67aefdf8db4f98a166c32d2784bf5bdfa2a6571273e87c0bb6e72711bb ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/t-mobile.bnayqs.top/ JSON API: https://api.destroy.tools/v1/check?domain=t-mobile.bnayqs.top Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 152,190 domains (43,233 alive under monitoring, 108,677 confirmed takedowns/dead). Site: https://phishdestroy.io