# PhishDestroy threat dossier — tmgmvip.pro ================================================================ Fetched: 2026-07-02 19:34:32 UTC Canonical: https://phishdestroy.io/domain/tmgmvip.pro/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Generic Phishing ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/91 security vendors flagged this domain Flagging vendors: Gridinsoft URLQuery: 2 detections AlienVault OTX: 1 pulses (threat-intel feed mentions) Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 145.223.124.113 (DE, Frankfurt am Main) ASN: ASAS47583 AS-HOSTINGER Hostinger International Limited, CY Hosting org: AS47583 Hostinger International Limited Registrar: Dynadot Inc Nameservers: ns1.dns-parking.com, ns2.dns-parking.com Registered: 2025-11-20 Expires: 2026-11-20 Page title: HOME - TMGM|TMGM Group|TMGM provides the best trading conditions for traders worldwide HTTP response: 530 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-08-17 Status: INVALID chain Fingerprint: 96d1821cead995a4c42f104a93424966c32c7fddd86d32a317a280cef9b4af77 Subject Alternative Names (related infrastructure — often same operator): - www.tmgmvip.pro ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2025-11-20 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-15 14:13:33 UTC (by PhishDestroy tracker) First reported: 2026-06-17 17:51:13 UTC (abuse notice filed) Last verified: 2026-07-02 20:20:35 UTC Neutralised: 2026-06-16 00:40:13 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019ecb31-f76e-75fe-b600-075d8f532ec3/ URLQuery: https://urlquery.net/report/0beb75a1-d703-408d-b3bf-8fe5ab190ea7 Wayback Machine: https://web.archive.org/web/*/tmgmvip.pro crt.sh CT logs: https://crt.sh/?q=%25.tmgmvip.pro Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=tmgmvip.pro AlienVault OTX: https://otx.alienvault.com/indicator/domain/tmgmvip.pro URLhaus: https://urlhaus.abuse.ch/host/tmgmvip.pro/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-25 18:25:53 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain is flagged as a high-risk phishing site designed to impersonate a legitimate forex trading platform. Analysis indicates the domain hosts fraudulent pages mimicking TMGM Group, a known brokerage, with the intent to harvest login credentials, financial details, or deploy malicious payloads under the guise of trading services. The page title, 'HOME - TMGM|TMGM Group|TMGM provides the best trading conditions for traders worldwide,' reinforces the deception by replicating branding elements of the legitimate entity, increasing the likelihood of successful social engineering attacks against retail traders or investors. Infrastructure analysis reveals multiple red flags: the domain was registered on November 20, 2025, through Dynadot Inc, a registrar frequently abused for malicious registrations. It resolves to IP address 145.223.124.113, hosted on AS47583 (Hostinger International Limited) in Germany, a network segment with a history of hosting phishing infrastructure. The SSL certificate, issued by Let's Encrypt (R12), provides HTTPS encryption but does not validate legitimacy. Detection metrics show 1/95 security vendors on VirusTotal flagging the domain as malicious, while it appears on 3 independent security blocklists, including PhishDestroy, MetaMask, and SEAL. The domain remains active as of this report, with no takedown or sinkholing observed. Users who visited tmgmvip.pro should assume compromise of any entered credentials or financial data. Immediate actions include revoking access to any accounts accessed via the domain, rotating passwords for associated email or trading platforms, and scanning endpoint devices for malware. Network-level blocking of the domain (tmgmvip.pro) and its resolving IP (145.223.124.113) is recommended to prevent further exposure. Financial institutions should be notified if transactions were initiated through the site. Monitoring for unauthorized access or fraudulent activity is critical, particularly for accounts linked to forex trading or cryptocurrency exchanges. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260617-9AD6AF Favicon MD5: ed3db5c45feb0bf5021b381877d83806 TLS cert SHA-256: 96d1821cead995a4c42f104a93424966c32c7fddd86d32a317a280cef9b4af77 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/tmgmvip.pro/ JSON API: https://api.destroy.tools/v1/check?domain=tmgmvip.pro Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 173,982 domains (14,673 alive under monitoring, 158,576 confirmed takedowns/dead). Site: https://phishdestroy.io