# PhishDestroy threat dossier — vzlomvk.ru ================================================================ Fetched: 2026-05-01 02:35:13 UTC Canonical: https://phishdestroy.io/domain/vzlomvk.ru/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 54/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/94 security vendors flagged this domain Flagging vendors: alphaMountain.ai ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 31.31.196.172 (RU, Moscow) ASN: AS197695 Domain names registrar REG.RU, Ltd Hosting org: Reg.Ru Registrar: REGRU-RU Nameservers: ns1.hosting.reg.ru, ns1.hosting.reg.ru., ns2.hosting.reg.ru, ns2.hosting.reg.ru. Registered: 2026-04-17 Page title: Взлом ВК без предоплаты ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: GlobalSign nv-sa / GlobalSign GCC R6 AlphaSSL CA 2025 Expires: 2026-10-28 Status: INVALID chain Fingerprint: 80396e79fc653507f76db92c6ec8ada6474be041a94d8759dc37351592338928 Subject Alternative Names (related infrastructure — often same operator): - www.vzlomvk.ru ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-17 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-17 07:07:20 UTC (by PhishDestroy tracker) First reported: 2026-04-17 04:10:42 UTC (abuse notice filed) Last verified: 2026-04-29 13:40:19 UTC Neutralised: 2026-04-29 12:29:42 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019d999c-f2bf-774b-a8aa-a4a20a1fa251/ URLQuery: https://urlquery.net/report/8ecf928b-ce82-4346-8801-acc946e07db7 Wayback Machine: https://web.archive.org/web/*/vzlomvk.ru crt.sh CT logs: https://crt.sh/?q=%25.vzlomvk.ru Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=vzlomvk.ru AlienVault OTX: https://otx.alienvault.com/indicator/domain/vzlomvk.ru URLhaus: https://urlhaus.abuse.ch/host/vzlomvk.ru/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-17 07:08:23 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] Is vzlomvk.ru Safe to Access? Current Risk Assessment and Threat Analysis The domain vzlomvk.ru is currently under investigation for active generic phishing activity specifically targeting Vkontakte (VK) account compromises. This threat involves deceptive methods to trick users into surrendering their VK credentials under the guise of a free account hacking service. The risk level for this domain remains under_investigation, but its active status and recent creation date demand heightened scrutiny from security teams and end users alike. This domain exhibits several red flags uncovered during initial reconnaissance. The page in question, titled in Russian as 'Взлом ВК без предоплаты,' translates to 'Hack VK without prepayment,' a hallmark of fraudulent 'free hacking' schemes aimed at exploiting user trust. According to current telemetry, the domain resolves to the IP address 31.31.196.172 and is registered through REGRU-RU, a hosting provider often associated with short-lived or malicious domains. Notably, VirusTotal has recorded zero detections out of 95 scanning engines, indicating a low initial detection rate despite its malicious purpose. The domain was created as recently as April 18, 2025, and operates under a GlobalSign SSL certificate (nv-sa), which lends it an air of legitimacy at first glance. No current blocklist entries were identified at the time of analysis, further emphasizing the need for proactive monitoring. Given the specific nature of this Vkontakte-targeted phishing campaign, security professionals should implement targeted countermeasures immediately. Users should be warned against engaging with any site claiming to offer free hacking services, particularly those hosted on newly created domains with low detection rates. Network defenders are urged to implement DNS sinkholing or block the IP 31.31.196.172 and domain vzlomvk.ru at the perimeter firewall. Additionally, scanning for SSL certificates issued by GlobalSign nv-sa to recently registered .ru domains may help uncover related campaigns. Immediate user awareness training should highlight the dangers of entering credentials into such portals, as compromised VK accounts can be leveraged for further social engineering, data exfiltration, or lateral network movement. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260417-26E9C3 Favicon MD5: 0b5e25721f0f13534ea4a0e8b402aa79 TLS cert SHA-256: 80396e79fc653507f76db92c6ec8ada6474be041a94d8759dc37351592338928 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/vzlomvk.ru/ JSON API: https://api.destroy.tools/v1/check?domain=vzlomvk.ru Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io