# PhishDestroy threat dossier — xn--cdigopromocionalrainbet-5ic.site ================================================================ Fetched: 2026-07-14 06:50:38 UTC Canonical: https://phishdestroy.io/domain/xn--cdigopromocionalrainbet-5ic.site/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 3/91 security vendors flagged this domain Flagging vendors: ChainPatrol, Gridinsoft, SOCRadar Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 185.158.133.1 (PL, Dźwirzyno) ASN: AS13335 Cloudflare, Inc. Hosting org: AS13335 Cloudflare, Inc. Registrar: GoDaddy.com, LLC Nameservers: ns27.domaincontrol.com, ns28.domaincontrol.com Registered: 2026-07-07 Expires: 2027-07-07 Page title: Código de Referencia Rainbet BONUS50 — Bono 100% hasta $2100 HTTP response: 403 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-10-05 Status: INVALID chain Fingerprint: b683929e9f7b9dd0df8b73340fa2a0702433a2a1874aa5a917b3c9e4bafa68a5 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-07-07 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-08 13:39:37 UTC (by PhishDestroy tracker) Last verified: 2026-07-14 08:20:41 UTC Neutralised: 2026-07-08 18:17:53 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f4185-8dbf-704c-99ef-169a23945cb0/ URLQuery: https://urlquery.net/report/2b7c9879-95c4-4a27-b5b9-d06c04514b57 Wayback Machine: https://web.archive.org/web/*/xn--cdigopromocionalrainbet-5ic.site crt.sh CT logs: https://crt.sh/?q=%25.xn--cdigopromocionalrainbet-5ic.site Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=xn--cdigopromocionalrainbet-5ic.site AlienVault OTX: https://otx.alienvault.com/indicator/domain/xn--cdigopromocionalrainbet-5ic.site URLhaus: https://urlhaus.abuse.ch/host/xn--cdigopromocionalrainbet-5ic.site/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-08 15:01:30 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, xn--cdigopromocionalrainbet-5ic.site, is actively engaged in credential theft through brand impersonation targeting users of the Rainbet platform. The site presents itself as an official promotional portal for Rainbet, offering fraudulent incentives such as a "Bono 100% hasta $2100" and a referral code "BONUS50" to lure victims. Analysis of the page title and content structure indicates an intent to harvest login credentials, payment details, or personal information by mimicking legitimate promotional campaigns. The use of a punycode domain (xn--) suggests an attempt to obfuscate the true nature of the site, a common tactic in phishing operations to evade detection by users and automated systems. Infrastructure analysis reveals that the domain was registered on July 07, 2026, through GoDaddy.com, LLC, a registrar frequently utilized in both legitimate and malicious operations. The domain currently resolves to the IP address 185.158.133.1, which has not been widely flagged in threat intelligence feeds. As of the latest assessment, the domain has zero detections on VirusTotal (0/95), indicating it has not yet been widely recognized as malicious by security vendors. This lack of detection, combined with the recent registration date, suggests the campaign may still be in its early stages or employing evasion techniques to avoid automated scrutiny. No blocklist entries or public reports were identified at the time of analysis, further highlighting the domain's current low visibility in threat intelligence circles. Users who have visited xn--cdigopromocionalrainbet-5ic.site or interacted with its content should take immediate remedial actions. First, revoke any credentials entered on the site, particularly those associated with Rainbet or other financial platforms. Monitor accounts for unauthorized transactions or suspicious activity, as stolen credentials may be exploited in subsequent attacks. If payment details were provided, contact financial institutions to secure accounts and request transaction monitoring. Additionally, scan affected devices for malware or unwanted software that may have been installed during the interaction. Given the domain's active status and lack of detection, users are advised to report the site to their security teams or threat intelligence platforms to aid in broader detection efforts. [Updates since narrative was generated:] - Public blocklists: now listed on 3 feeds - VirusTotal detections: now 3/91 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 566e64364d6957715dc11845f4800700 TLS cert SHA-256: b683929e9f7b9dd0df8b73340fa2a0702433a2a1874aa5a917b3c9e4bafa68a5 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/xn--cdigopromocionalrainbet-5ic.site/ JSON API: https://api.destroy.tools/v1/check?domain=xn--cdigopromocionalrainbet-5ic.site Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,353 domains (50,030 alive under monitoring, 128,323 confirmed takedowns/dead). Site: https://phishdestroy.io