0/100

medium Risk

the-actual.top

https://the-actual.top/

104.21.9.91 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

132 days

HTTP

200 · 31.4s

SSL

Valid· WE1, Google Trust Services, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Actual domain"

Save

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

anonflare

Vendors

29/30

Status

partial

✓ cisa✓ bitdefender✓ norton✓ sophos✓ phishreport✓ avg✓ microsoft✓ avast✓ polyswarm✓ yandex✓ brightcloud✓ kaspersky✓ apple✓ isitphish✓ urlquery✓ apwg✓ urlscan✓ spamhaus✓ phishtank✓ openphish✓ virustotal✓ netcraft✓ emsisoft✗ eset✓ drweb✓ urlabuse✓ threatyeti✓ google✓ mcafee✓ fortiguard

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

anonflare

Data Harvesting

technology | finance | ecommerce | other · 4/5/2026

Summary

The page presents branding suggesting anonflare.com, but the domain is the-actual.top. Static HTML shows no login fields, yet a JS beacon is loaded from Cloudflare Insights and a POST to /rum is observed, indicating potential data collection. The screenshot indicates impersonation of a different brand (anonflare.com) while hosted on a separate domain, which aligns with credential or data exfiltration risk typical of phishing-like impersonation, though no concrete login form is visible in static HTML.

Evidence Summary

▸Observed 2 capture stage(s); canonical stage is settled_render.

▸POST targets observed during capture: https://the-actual.top/cdn-cgi/rum?.

▸Distinctive asset clues: v8c78df7c7c0f484497ecbca7046644da1771523124516.

Capture

Stages: 2

Canonical: Settled Render

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 4

Hosts: 2

Domains: 2

Attack Techniques (4)

SPA-rendered credential capture risk (forms may be injected by JavaScript in the loaded bundle)External analytics/beacon script loading from Cloudflare InsightsPOST to /cdn-cgi/rum? (potential data exfiltration endpoint)Impersonation of a known brand via visual branding (anonflare.com) on a non-official domain

Indicators of Compromise (7)

▸Page title: 'Actual domain' but body text shows 'Actual domain: anonflare.com'

▸Domain: the-actual.top (new-ish top-level domain with risk score 10/100)

▸SSL cert issued by Google Trust Services (legitimate CA) for the-actual.top

▸External script: https://static.cloudflareinsights.com/beacon.min.js

▸Network: POST to https://the-actual.top/cdn-cgi/rum? (204 response)

▸GET to https://api.ipify.org/?format=text (IP exposure check)

▸No static login form in HTML; SPA behavior implied

Risk AssessmentUsed in abuse reports

The evidence shows impersonation signals: the page displays branding referencing anonflare.com while the domain the-actual.top is presented as the hosting site. The static HTML contains no forms, but a JavaScript beacon and a POST to an endpoint may indicate credential collection logic embedded in a JavaScript bundle, consistent with SPA-based credential capture. The combination of impersonated branding, external analytics script, and an endpoint that could be used for data exfiltration constitutes abuse potential, warranting elevated risk. The domain age is 132 days with a .top TLD, which contributes to suspicion. Recommend monitoring and further investigation; consider takedown actions if corroborated credential harvesting or user data collection is observed in runtime.

Recommended Action

Monitor

Cross-Reference9

URL Intelligence