# PhishDestroy threat dossier — t-mobile.pubtjf.top ================================================================ Fetched: 2026-06-06 20:20:00 UTC Canonical: https://phishdestroy.io/domain/t-mobile.pubtjf.top/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: Google ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 15/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, Cluster25, CRDF, ESET, Emsisoft, Fortinet, G-Data, Google Safebrowsing, Gridinsoft, LevelBlue, Netcraft, PrecisionSec, SOCRadar, Sophos Public blocklists: listed on 1 independent blocklist Google Safe Browsing: FLAGGED ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.67.134.104 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: NameSilo,LLC !!! REGISTRAR INTEGRITY ALERT — NameSilo !!! NameSilo is a registrar documented by PhishDestroy as (1) publicly lying about received abuse reports, (2) shielding a $20M+ Monero-theft operation (xmrwallet.com) for 10 continuous years, and (3) retaliating against PhishDestroy by getting our X/Twitter account @Phish_Destroy banned after we published the evidence. Researchers/victims must ALWAYS CC compliance@icann.org on every abuse ticket — NameSilo has a track record of later claiming reports were never received. Primary sources: https://phishdestroy.io/namesilo-killed-our-twitter https://phishdestroy.io/xmrwallet-namesilo-exposed Nameservers: ["trevor.ns.cloudflare.com.", "nelly.ns.cloudflare.com."] Registered: 2026-05-21 Page title: Welcome to OpenResty! HTTP response: 530 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E7 Expires: 2026-08-16 Status: INVALID chain Fingerprint: 382f3373cb975c3ff58be746c79c6072907a45fb1f601285b2065d5f43b2b29f Subject Alternative Names (related infrastructure — often same operator): - pubtjf.top ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-21 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-21 03:16:38 UTC (by PhishDestroy tracker) Last verified: 2026-06-04 01:36:04 UTC Neutralised: 2026-05-27 00:24:31 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e47e1-91dd-7378-bd04-9609987ab197/ Wayback Machine: https://web.archive.org/web/*/t-mobile.pubtjf.top crt.sh CT logs: https://crt.sh/?q=%25.t-mobile.pubtjf.top Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=t-mobile.pubtjf.top AlienVault OTX: https://otx.alienvault.com/indicator/domain/t-mobile.pubtjf.top URLhaus: https://urlhaus.abuse.ch/host/t-mobile.pubtjf.top/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-21 03:17:31 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The domain t-mobile.pubtjf.top was identified as a generic phishing site actively impersonating T-Mobile's official login interface. This deceptive domain is designed to harvest user credentials under the guise of a legitimate T-Mobile authentication page, potentially exposing victims to identity theft and financial fraud. The threat actor leveraged a visually similar domain structure to exploit cognitive biases, targeting users who may hastily overlook subtle discrepancies in the URL. While a drainer kit was not explicitly confirmed in available telemetry, the site's functional purpose aligns with credential harvesting infrastructure commonly associated with such toolkits. This domain exhibits several unambiguous technical indicators of malicious intent. VirusTotal currently reports 0/95 detections, indicating low initial coverage by security vendors despite the domain's active phishing campaign. It was registered on May 18, 2026, through NameSilo, LLC, and resolves to IP address 172.67.134.104. The domain utilizes a valid SSL certificate issued by Let's Encrypt, which may contribute to a false sense of legitimacy. Google Safe Browsing has already flagged this domain under the category "SOCIAL_ENGINEERING," though it remains unblocked by many security solutions due to its recent creation and minimal historical data. As of the latest assessment, this domain remains active and constitutes an ongoing threat to unsuspecting users. Immediate action should be taken by security teams to block access to t-mobile.pubtjf.top at the network level and update threat intelligence feeds to prevent further exploitation. The risk level is currently classified as "under_investigation," but the presence of Google Safe Browsing flags and the domain's recent registration date warrant urgent attention. Users encountering this domain should refrain from interacting with it and report it to relevant authorities or security platforms. The residual risk remains elevated due to the domain's low detection rate and the potential for rapid propagation through phishing campaigns targeting T-Mobile customers. [Updates since narrative was generated:] - VirusTotal detections: now 15/91 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- TLS cert SHA-256: 382f3373cb975c3ff58be746c79c6072907a45fb1f601285b2065d5f43b2b29f ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/t-mobile.pubtjf.top/ JSON API: https://api.destroy.tools/v1/check?domain=t-mobile.pubtjf.top Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 157,273 domains (42,651 alive under monitoring, 113,799 confirmed takedowns/dead). Site: https://phishdestroy.io