# PhishDestroy threat dossier — tim.eufabuloustreasure.vip ================================================================ Fetched: 2026-07-04 07:12:11 UTC Canonical: https://phishdestroy.io/domain/tim.eufabuloustreasure.vip/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 73/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/91 security vendors flagged this domain Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 2600:9000:28dc:400:15:33a8:bb00:93a1 (DE, Mörfelden-Walldorf) ASN: ASAS16509 AMAZON-02 - Amazon.com, Inc., US Hosting org: AS16509 Amazon.com, Inc. Registrar: Dynadot Inc Nameservers: ["casey.ns.cloudflare.com", "autumn.ns.cloudflare.com"] Page title: Time Machine EU - Win 1000 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Amazon / Amazon RSA 2048 M04 Expires: 2026-12-05 Status: INVALID chain Fingerprint: c6b35861637a5fbc67839bc3eee0a69e5c73f8fb53bcf1f5b2dc8e53cd94636f ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-06-01 21:31:36 UTC (by PhishDestroy tracker) First reported: 2026-06-01 21:31:34 UTC (abuse notice filed) Last verified: 2026-07-04 08:20:35 UTC Neutralised: 2026-06-03 03:25:15 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e8472-c327-72be-8a9c-110d7db018fc/ Wayback Machine: https://web.archive.org/web/*/tim.eufabuloustreasure.vip crt.sh CT logs: https://crt.sh/?q=%25.tim.eufabuloustreasure.vip Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=tim.eufabuloustreasure.vip AlienVault OTX: https://otx.alienvault.com/indicator/domain/tim.eufabuloustreasure.vip URLhaus: https://urlhaus.abuse.ch/host/tim.eufabuloustreasure.vip/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-25 19:38:37 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] Analysis indicates tim.eufabuloustreasure.vip is an active UNDER INVESTIGATION phishing infrastructure presenting a fake reward engagement page titled "Time Machine EU - Win 1000". The domain is structured to simulate prize or incentive-based interaction flows commonly used to harvest user credentials or induce malicious actions. Evidence shows the domain resolves to IPv6 2600:9000:28dc:400:15:33a8:bb00:93a1 hosted in DE under AS16509 Amazon.com, Inc. infrastructure. SSL certificate is issued via Amazon RSA 2048 M04, indicating automated cloud provisioning rather than verified organizational identity. The registrar is Dynadot Inc. The domain appears on 1 security blocklist and is actively flagged by PhishDestroy. VirusTotal reports 0/95 detections, indicating low but not absent detection coverage across vendors. The page title "Time Machine EU - Win 1000" suggests a reward-themed lure designed for social engineering rather than legitimate service functionality. Mitigation actions should include proactive blocking of the domain at DNS and web filtering layers, especially in environments handling user authentication or financial access. Users who visited should be advised to avoid entering credentials or personal data and to clear session cookies immediately. If any data was submitted, credential resets should be performed for affected accounts, and MFA should be enabled. Security monitoring should be updated to include this domain, its IPv6 address, and associated reward-themed lure patterns. Continued observation is recommended due to active status and low detection rate, which may indicate early-stage or fast-rotating phishing infrastructure. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 2079c7bd4bf301eb0a99f585c2435f3b TLS cert SHA-256: c6b35861637a5fbc67839bc3eee0a69e5c73f8fb53bcf1f5b2dc8e53cd94636f ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/tim.eufabuloustreasure.vip/ JSON API: https://api.destroy.tools/v1/check?domain=tim.eufabuloustreasure.vip Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,429 domains (12,731 alive under monitoring, 160,880 confirmed takedowns/dead). Site: https://phishdestroy.io