# PhishDestroy threat dossier — t-mobile.vyqpdo.top ================================================================ Fetched: 2026-05-20 14:39:44 UTC Canonical: https://phishdestroy.io/domain/t-mobile.vyqpdo.top/ ## VERDICT ---------------------------------------------------------------- ACTIVE THREAT — multiple warning signs Composite threat score: 44/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 9/95 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, CRDF, Emsisoft, Fortinet, G-Data, Netcraft, SOCRadar, Sophos ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.97.3 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: CloudFlare, Inc. Registrar: NameSilo, LLC !!! REGISTRAR INTEGRITY ALERT — NameSilo !!! NameSilo is a registrar documented by PhishDestroy as (1) publicly lying about received abuse reports, (2) shielding a $20M+ Monero-theft operation (xmrwallet.com) for 10 continuous years, and (3) retaliating against PhishDestroy by getting our X/Twitter account @Phish_Destroy banned after we published the evidence. Researchers/victims must ALWAYS CC compliance@icann.org on every abuse ticket — NameSilo has a track record of later claiming reports were never received. Primary sources: https://phishdestroy.io/namesilo-killed-our-twitter https://phishdestroy.io/xmrwallet-namesilo-exposed Nameservers: houston.ns.cloudflare.com, kim.ns.cloudflare.com Registered: 2026-05-18 Page title: Welcome to OpenResty! HTTP response: 200 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-18 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-20 15:58:14 UTC (by PhishDestroy tracker) Last verified: 2026-05-20 17:25:32 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e4574-92ec-70eb-ab97-12786dcce778/ Wayback Machine: https://web.archive.org/web/*/t-mobile.vyqpdo.top crt.sh CT logs: https://crt.sh/?q=%25.t-mobile.vyqpdo.top Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=t-mobile.vyqpdo.top AlienVault OTX: https://otx.alienvault.com/indicator/domain/t-mobile.vyqpdo.top URLhaus: https://urlhaus.abuse.ch/host/t-mobile.vyqpdo.top/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-20 15:59:12 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies t-mobile.vyqpdo.top as an active phishing domain masquerading as a T-Mobile login portal. The site’s primary objective is to harvest user credentials by tricking victims into submitting their T-Mobile account details into a convincing fake form. The domain was registered on May 18, 2026, and resolves to IP address 188.114.97.3. Security vendors have already begun flagging the domain, with 9 of 95 VirusTotal engines detecting malicious intent. Despite using a Let’s Encrypt SSL certificate, which may falsely imply legitimacy, the combination of recent domain age, high-risk IP hosting, and early-stage detection ratio indicates elevated risk exposure for unsuspecting visitors. This domain was flagged through multiple vectors. It was registered via NameSilo, LLC, a domain registrar often exploited for low-cost, low-oversight registrations that facilitate short-lived phishing campaigns. The IP address 188.114.97.3 is associated with known malicious hosting infrastructure recently observed distributing phishing kits and credential theft pages. The domain’s creation date of May 18, 2026, places it in a high-risk window—such newly launched domains typically appear hours before active campaigns go live. VirusTotal reports 9 positive detections out of 95 engines, a ratio that suggests early but not universal detection, meaning many antivirus solutions may still miss it. The Let’s Encrypt SSL certificate, while enhancing visual trust, is automatically issued and does not verify the legitimacy of the service—it only encrypts the traffic between victim and attacker. There are no immediate indications this domain has been widely blocked by major browsers or DNS-based threat intelligence feeds, increasing the likelihood of user exposure. Mitigation for this specific threat requires immediate caution when accessing any T-Mobile-related login page linked from emails, SMS, or third-party sites. Users should verify the URL directly in the official T-Mobile app or website (tmobile.com) before entering credentials. Organizations should block the domain and IP at the network perimeter and update browser blocklists. Consumers are advised to enable multi-factor authentication (MFA) on their T-Mobile accounts to add a critical second layer of security. If credentials were entered, users must change their password immediately and monitor for unauthorized account activity. Reporting the domain to T-Mobile’s abuse team and the FBI’s IC3 (Internet Crime Complaint Center) can help disrupt further attacks. This campaign highlights the growing use of lookalike subdomains and newly registered domains (NRDs) in phishing attacks, emphasizing the need for heightened vigilance and proactive threat intelligence monitoring. ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/t-mobile.vyqpdo.top/ JSON API: https://api.destroy.tools/v1/check?domain=t-mobile.vyqpdo.top Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 152,078 domains (43,345 alive under monitoring, 108,453 confirmed takedowns/dead). Site: https://phishdestroy.io