https://hititbet.wwwtr-supergirislerim.icu/
104.21.80.207 · Cloudflare, Inc.
Toronto, Canada
0 days ⚠
200 · 71.5s
Valid· WE1, Google Trust Services, US
COMPLETED
Linked Phishing Report
This scan is attached to a vendor submission report
Brand
Hititbet
Vendors
28/31
Status
partial
Registered-domain escalation
Submit wwwtr-supergirislerim.icu as the primary IOC, enriched with evidence from hostile subdomains like hititbet.wwwtr-supergirislerim.icu.
No KB/IOK detections were recorded for this scan.
gambling · 7/19/2026
The site impersonates Hititbet, a known online betting platform, and contains a login form designed to capture user credentials. The domain is newly registered and uses a suspicious TLD (.icu), indicating a high risk of phishing activity. The presence of off-domain API calls further supports the likelihood of credential harvesting. Analyst flagged likely cloaking/evasion behavior for this target. Analyst context noted: Website is cloaking and only works for Turkey IP and faking the real brand and phishing scamming users Analyst note: this target may cloak content or block scanners.
Capture
Stages: 3
Canonical: Late Render (+3s)
Changed: No
Credential Signals
Forms: 2
Password fields: 3
Late-stage login UI: No
Resource Signals
Resources: 93
Hosts: 9
Domains: 9
Suspicious Endpoints
hxxps://verification[.]pagcor-regulatory[.]ph/api/validate/logo?domain=hititbet.com
hxxps://hititbet947[.]com/login.php
hxxps://hititbet947[.]com/
Off-Domain Posts
hxxps://verification[.]pagcor-regulatory[.]ph/api/validate/logo?domain=hititbet.com
The scan indicates that the site is actively impersonating Hititbet, a known online betting service, and is likely engaged in credential phishing. The domain is newly registered, and the use of a suspicious TLD raises significant concerns about its legitimacy. Additionally, the presence of off-domain API calls suggests potential data exfiltration. Immediate action is recommended to mitigate risks associated with this site. Analyst-reported cloaking/evasion suspicion increases confidence that the operator is actively attempting to evade automated security analysis. Analyst context was provided and corroborated during this assessment (Website is cloaking and only works for Turkey IP and faking the real brand and phishing scamming users Analyst note: this target may cloak content or block scanners.). Because analyst context identifies an active phishing or fraud kit, domain suspension is recommended rather than passive monitoring.
Suspend Domain