https://xhavale.vip/
172.67.154.201 · Cloudflare, Inc.
Toronto, Canada
28 days
200 · 64.1s
Valid· WE1, Google Trust Services, US
COMPLETED
No KB/IOK detections were recorded for this scan.
gambling | technology · 7/19/2026
The page presents Süperbahis branding and a login form on xhavale.vip, but the domain is newly registered (28 days) and uses Cloudflare protection. Visuals mimic a betting site, including sports/casino navigation and logos, yet the domain does not belong to Süperbahis. Credential collection UI is present with a password field and a login form, and there are multiple external tracking scripts and analytics requests. The evidence indicates potential impersonation risk and credential harvesting setup, but the overall claim of phishing requires confirmation of impersonation vs. first-party abuse; at minimum, the domain appears designed to resemble a known betting brand while not being its official domain.
Capture
Stages: 3
Canonical: Late Render (+3s)
Changed: No
Credential Signals
Forms: 1
Password fields: 1
Late-stage login UI: No
Resource Signals
Resources: 237
Hosts: 29
Domains: 21
Suspicious Endpoints
hxxps://xhavale[.]vip/api/ContentServices/V1/ServiceV1_1/seo/adHocRedirects
hxxps://xhavale[.]vip/api/ContentServices/V1/ServiceV1_1/gateways
hxxps://xhavale[.]vip/api/SessionServices/V1/ServiceV1_5/session/start?host=xhavale.vip
hxxps://xhavale[.]vip/DOTCMS/superbahis/Promotions/SB_TELEGRAM_BANNER_SPO/bad8a8ba-7d9b-4194-8497-d0c8db26b96d/TR/assets/TABLET-WEB-V1/oneSizeBanner.jpg?_=20260512T0920
hxxps://xhavale[.]vip/DOTCMS/superbahis/AssetManagement/TR/resp/menus/lsn/telegram.png?_=20250410T1309Z
hxxps://xhavale[.]vip/
No specific IOCs identified in source
The site presents Süperbahis branding but the domain xhavale.vip is newly registered and not the official Süperbahis domain, which is a strong impersonation signal. The page includes a login/password field and a login form, suggesting credential harvesting potential. Multiple tracking and analytics endpoints are loaded, including Optimizely/Optimove and Facebook pixels, and there are POST requests to tracking endpoints, which increases risk of data exfiltration. The presence of an active login surface on a brand-cloned page constitutes a credible abuse case and warrants further investigation and possible takedown action. Monitor and consider domain suspension or blocking if impersonation is confirmed; report to registrar for misrepresentation.
Suspend Domain