# PhishDestroy threat dossier — wazbee.fun ================================================================ Fetched: 2026-07-13 01:17:08 UTC Canonical: https://phishdestroy.io/domain/wazbee.fun/ ## VERDICT ---------------------------------------------------------------- ACTIVE — previously flagged dead but abuse reports still being filed (likely resurrected or never truly dead) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Generic Phishing Phishing kit: Gambler Scam ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 15/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, Chong Lua Dao, CRDF, CyRadar, ESET, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, Lionic, Sophos, VIPRE URLQuery: 2 detections Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 104.21.85.110 (US, San Francisco) ASN: ASAS13335 CLOUDFLARENET - Cloudflare, Inc., US Hosting org: AS13335 Cloudflare, Inc. Registrar: Fewmoretaps OU d/b/a Trustname.com !!! REGISTRAR INTEGRITY ALERT — Trustname / Fewmoretaps OU !!! Trustname (IANA #4318) is a shell company declaring EUR 120 annual revenue, 1 employee, negative equity, Belarusian ownership. Explicitly advertises itself as 'bulletproof' in its DNS TXT records. Primary source: https://phishdestroy.io/trustname-bulletproof-exposed Nameservers: mcgrory.ns.cloudflare.com, reza.ns.cloudflare.com Registered: 2026-05-22 Expires: 2027-05-22 Page title: Wazbee: Most Popular Online Crypto Casino Based on Blockchain HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E7 Expires: 2026-08-20 Status: INVALID chain Fingerprint: d05086769d0ae3ae838abcbbcc7fd81a2b651a7e906f659a493d8bf599c20b62 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: REPORTS FILED AND IGNORED — Fewmoretaps OU d/b/a Trustname.com did not act on these notifications. Domain was flagged dead on 2026-06-24 18:19:01 UTC but a fresh report was filed on 2026-07-11 01:03:55 UTC — it is back or never truly suspended. Reports filed: 1 independent abuse notifications First report: 2026-07-11 01:03:55 UTC Days since first notice: 2 — no registrar action, domain remains online ICANN Compliance CC'd on at least one escalation — non-response is on record. Methodology: follow-up reports are sent ONLY when a victim re-submitted a re-report via our public form, our monitoring detected the domain resurfacing in SEO/feeds, OR our live-checker confirmed the domain is still technically active and fraudulent. Each report contains: VT verdict, URLScan snapshot, WHOIS, SSL metadata, IP/hosting chain, impersonated-brand evidence, drainer/kit classification, screenshots, and a cryptographic hash of the forensic PDF. ICANN RAA Sec. 3.18 applies. Per-report timeline: https://phishdestroy.io/domain/wazbee.fun/#coordinated-suppression ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-22 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-24 14:34:26 UTC (by PhishDestroy tracker) First reported: 2026-06-24 12:52:36 UTC (abuse notice filed) Last verified: 2026-07-13 00:20:36 UTC Flagged dead: 2026-06-24 18:19:01 UTC (SUPERSEDED — fresh report filed after this date, see ABUSE-REPORT HISTORY) Current status: ACTIVE (flagged dead but resurrected — registrar did not act on fresh reports) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019ef99e-8518-74ab-b686-9ad488f0dd0d/ URLQuery: https://urlquery.net/report/eef899a5-04f7-4d3c-9ef2-75aeaa70ebb4 Wayback Machine: https://web.archive.org/web/*/wazbee.fun crt.sh CT logs: https://crt.sh/?q=%25.wazbee.fun Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=wazbee.fun AlienVault OTX: https://otx.alienvault.com/indicator/domain/wazbee.fun URLhaus: https://urlhaus.abuse.ch/host/wazbee.fun/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-12 17:25:30 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, wazbee.fun, was registered on May 22 2026 through the registrar Fewmoretaps OU d/b/a Trustname.com. It is hosted behind Cloudflare’s network (AS13335) and resolves to IP address 104.21.85.110, which geolocates to the United States. The site presents a valid Let’s Encrypt certificate (issuer “E7”) and returns HTTP 200 responses, indicating a fully operational web server. The landing page carries the title “Wazbee: Most Popular Online Crypto Casino Based on Blockchain” and explicitly mimics the brand Base, a well‑known crypto‑gaming provider. Technical analysis shows the page loads Twitter Ads, a Facebook Pixel, and Cloudflare Browser Insights, all typical of monetised phishing portals. The domain’s nameservers, mcgrory.ns.cloudflare.com and reza.ns.cloudflare.com, are standard Cloudflare delegations, providing no additional attribution. Threat intelligence flags wazbee.fun as a high‑risk brand‑impersonation site. It appears on one security blocklist and is listed by PhishDestroy as active. VirusTotal scans return 15 detections out of 95 security vendors, and Gridinsoft assigns a trust score of 1 / 100, underscoring the malicious nature of the infrastructure. The site is identified as using the “Gambler Scam” phishing kit, which commonly harvests cryptocurrency credentials and redirects victims to affiliate monetisation pages. Defenders should block DNS resolution for wazbee.fun at the network perimeter and add the IP 104.21.85.110 to any outbound filtering rules that target known malicious hosts. Because the site uses Cloudflare’s public edge, additional traffic‑analysis signatures—such as the presence of Twitter Ads and Facebook Pixel scripts combined with the specific page title—can be employed to detect similar clones. Continuous monitoring of the associated certificate and any future changes to the nameserver set is advised, as adversaries may shift hosting while retaining the same branding. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260624-0895D5 Favicon MD5: 50679c0c5e3ed56d05c1d0ed312419a7 TLS cert SHA-256: d05086769d0ae3ae838abcbbcc7fd81a2b651a7e906f659a493d8bf599c20b62 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/wazbee.fun/ JSON API: https://api.destroy.tools/v1/check?domain=wazbee.fun Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,008 domains (49,746 alive under monitoring, 128,262 confirmed takedowns/dead). Site: https://phishdestroy.io