# userstarted.ghost.io — MALICIOUS

> userstarted.ghost.io is linked to phishing risks and flagged by security tools. Avoid interaction and report suspicious activity immediately.

## Summary
PhishDestroy identifies userstarted.ghost.io as a high-risk generic phishing domain. It was created recently and used to mislead users attempting legitimate access.

The domain resolves to IP 151.101.131.7 and is listed on one security blocklist. VirusTotal flags it by 11 of 95 vendors. Registered via 1API GmbH, technical indicators suggest malicious intent.

Currently, userstarted.ghost.io is offline after detection. Users are advised to avoid the domain and remain cautious of similar setups to prevent credential theft.

## Threat Details
- Verdict: MALICIOUS
- Site status: dead (HTTP 404)
- Page title: Domain error

## Domain Intelligence
- Registered: 2026-02-21 07:01:08
- Registrar: 1API GmbH
- Country: DE
- IP: 151.101.131.7
- IP Org: Cloudflare CDN
- Nameservers: ["woz.ns.cloudflare.com", "sara.ns.cloudflare.com"]
- SSL Issuer: Let's Encrypt / R12

## Detection Status
- VirusTotal: 11 vendors flagged
  Vendors: ["ADMINUSLabs", "Criminal IP", "alphaMountain.ai", "Chong Lua Dao", "CRDF", "CyRadar", "Emsisoft", "Gridinsoft", "Lionic", "Netcraft", "Webroot"]
- Google Safe Browsing: clean
- Blocklists: 1 hits
  Lists: ["PhishDestroy"]

## Evidence
- Screenshot: https://urlscan.io/screenshots/019c9ce1-8604-7563-9491-3b4f1cad0a72.png
- Cloudflare Radar: https://radar.cloudflare.com/scan/6ab07fe0-5ba6-476f-938f-7fe6b7c6e5d7
- PhishDestroy: https://phishdestroy.io/domain/userstarted.ghost.io/
- LLM endpoint: https://phishdestroy.io/domain/userstarted.ghost.io/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/userstarted.ghost.io/
Last updated: 2026-03-19