# PhishDestroy threat dossier — tracxs.netlify.app ================================================================ Fetched: 2026-06-26 04:56:20 UTC Canonical: https://phishdestroy.io/domain/tracxs.netlify.app/ ## VERDICT ---------------------------------------------------------------- HIGH THREAT — malicious activity confirmed Composite threat score: 76/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 15/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, ESET, Emsisoft, Fortinet, G-Data, Gridinsoft, LevelBlue, Lionic, Netcraft, OpenPhish, Sophos, VIPRE, Webroot Public blocklists: listed on 1 independent blocklist Google Safe Browsing: FLAGGED ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 63.176.8.218 Registrar: Netlify Nameservers: NS_NOT_FOUND Registered: 2026-06-12 Page title: Sign in to your Account HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: DigiCert Inc / DigiCert Global G2 TLS RSA SHA256 2020 CA1 Expires: 2027-03-19 Status: INVALID chain Fingerprint: bc3a8134c21a842e64ea34d488826dd2ba50f59a3bcbaed1e6b71a4242de1478 Subject Alternative Names (related infrastructure — often same operator): - netlify.app ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-12 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-12 16:30:20 UTC (by PhishDestroy tracker) First reported: 2026-06-15 00:27:29 UTC (abuse notice filed) Last verified: 2026-06-26 04:20:34 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019ebc5c-938b-738d-9354-86b611a958c0/ Wayback Machine: https://web.archive.org/web/*/tracxs.netlify.app crt.sh CT logs: https://crt.sh/?q=%25.tracxs.netlify.app Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=tracxs.netlify.app AlienVault OTX: https://otx.alienvault.com/indicator/domain/tracxs.netlify.app URLhaus: https://urlhaus.abuse.ch/host/tracxs.netlify.app/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-25 11:25:41 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain is flagged as a high-risk credential harvesting phishing site targeting user authentication data. Analysis indicates the infrastructure is designed to deceive victims into submitting login credentials through a fraudulent account sign-in interface, as evidenced by the page title 'Sign in to your Account.' Infrastructure analysis reveals the domain tracxs.netlify.app was registered on June 12, 2026, through Netlify, with an SSL certificate issued by DigiCert Inc (DigiCert Global G2 TLS RSA SHA256 2020 CA1). It resolves to IP address 63.176.8.218 and is currently active. Security vendor detections include 15/95 flags on VirusTotal, while Google Safe Browsing and one additional security blocklist classify it as phishing. The domain remains unmitigated despite these indicators. Mitigation requires immediate blocking of the domain and its resolving IP (63.176.8.218) at network perimeter controls. Security teams should deploy indicators of compromise (IOCs) across endpoint detection and response (EDR) systems, email gateways, and web proxies. User awareness training should emphasize verification of login page URLs, particularly for domains hosted on content delivery networks (CDNs) or third-party platforms. Organizations should monitor for credential reuse attempts from affected accounts and enforce multi-factor authentication (MFA) as a compensating control. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 71e639807dd6f7bd6d9382624b837574 TLS cert SHA-256: bc3a8134c21a842e64ea34d488826dd2ba50f59a3bcbaed1e6b71a4242de1478 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/tracxs.netlify.app/ JSON API: https://api.destroy.tools/v1/check?domain=tracxs.netlify.app Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 170,051 domains (12,352 alive under monitoring, 157,076 confirmed takedowns/dead). Site: https://phishdestroy.io