0/100

high Risk

atw.gg

https://atw.gg

104.21.0.175 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

—

HTTP

200 · 15.8s

SSL

Valid· WE1, Google Trust Services, US

Status

COMPLETED

Redirect Chain (2 hops)

301https://atw.gg/

301https://discord.gg/atwgg

Visual Evidence

Zoom

Title: "Discord"

Save

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

Discord

Vendors

28/30

Status

partial

✓ bitdefender✓ drweb✓ eset✓ spamhaus✓ sophos✓ polyswarm✓ yandex✓ microsoft✓ phishtank✗ norton✓ openphish✓ urlquery✓ phishreport✓ apple✓ emsisoft✓ apwg✓ virustotal✓ avast✗ avg✓ urlabuse✓ brightcloud✓ netcraft✓ cisa✓ isitphish✓ urlscan✓ google✓ kaspersky✓ fortiguard✓ threatyeti✓ mcafee

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Discord

Credential Phishing

technology | social_media · 6/3/2026

Summary

The page presents Discord branding on atw.gg and redirects to a Discord invite page, with a visible login-like credential capture form. The page title and social/meta data reference Discord, and network/asset signals load Discord resources. Final URL is a Discord invite at discord.com/invite/atwgg, but initial domain (atw.gg) is not Discord, indicating impersonation. However, the interactive UI shown (Display Name and date of birth fields) and late-stage credential UI strongly suggest a phishing flow masquerading as Discord to harvest user input.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸Content changed across stages: visible text changed materially; new forms appeared after initial capture.

▸Credential collection UI appeared late in the capture sequence.

▸Off-domain submission or API endpoints observed: https://discord.gg/atwgg.

▸Distinctive asset clues: 74524.2841e1cab884dd31.js, 85620.02f18581464b936e.js, 82489.c52a75e20c78f4e3.css, 54886.c67ca54ee8a62337.css.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: Yes

visible text changed materiallynew forms appeared after initial capture

Credential Signals

Forms: 1

Password fields: 0

Late-stage login UI: Yes

Resource Signals

Resources: 268

Hosts: 3

Domains: 3

Suspicious Endpoints

hxxps://discord[.]gg/atwgg

hxxps://discord[.]com/invite/atwgg

hxxps://discord[.]com/assets/74524.2841e1cab884dd31.js

hxxps://discord[.]com/assets/85620.02f18581464b936e.js

hxxps://discord[.]com/assets/19033.e949593915a7c0b1.js

hxxps://discord[.]com/assets/44996.eb44688d07172e2e.js

Off-Domain Posts

hxxps://discord[.]gg/atwgg

Attack Techniques (5)

Brand impersonation with discord branding on a non-official domainImpersonation of a legitimate service (Discord) to harvest credentialsSPA-like dynamic credential capture UI loaded via multiple Discord assetsOff-domain submission endpoint observed (discord.gg) used to funnel victimsLate-render credential capture form appearing after initial page load

Indicators of Compromise (7)

▸Domain atw.gg (not a Discord official domain) presenting Discord branding

▸Page title and meta content reference Discord

▸Final redirect to discord.com/invite/atwgg

▸Off-domain invite link: https://discord.gg/atwgg

▸Credential capture UI with Display Name; date of birth fields; Create Account button

▸Multiple external Discord asset loads and a POST to Discord challenge/api endpoints

▸SSL certificate valid for atw.gg but issued by Google Trust Services (WE1) with short validity window

Risk AssessmentUsed in abuse reports

The scan indicates a high likelihood of impersonation phishing targeting Discord users on a typosquatted domain (atw.gg). The site uses Discord branding, redirects to a legitimate Discord invite, and presents a credential-collection UI that appears to mimic Discord's account creation. The combination of impersonation signals, late-render credential UI, and off-domain submission endpoint constitutes actionable abuse. The presence of Discord assets and a discord.gg invite as part of the flow suggests an attempt to harvest user-provided display name and birth information under the guise of account creation.

Recommended Action

Block URL

Cross-Reference9

URL Intelligence