0/100

medium Risk

doxbin.com

https://doxbin.com/home

104.20.17.121 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

5562 days

HTTP

200 · 19.8s

SSL

Valid· WE1, Google Trust Services, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Home | Doxbin"

Save

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

Doxbin

Vendors

30/30

Status

completed

✓ avg✓ brightcloud✓ eset✓ yandex✓ apple✓ isitphish✓ urlscan✓ spamhaus✓ openphish✓ emsisoft✓ cisa✓ phishreport✓ google✓ apwg✓ urlquery✓ sophos✓ netcraft✓ avast✓ bitdefender✓ norton✓ threatyeti✓ kaspersky✓ virustotal✓ phishtank✓ microsoft✓ polyswarm✓ drweb✓ urlabuse✓ mcafee✓ fortiguard

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Doxbin

Data Harvesting

Technology · 4/5/2026

Summary

The page presents Doxbin branding (Home | Doxbin) with a dark theme and a prominent masthead. Network and resource signals indicate a functional paste/search platform with an API and real-time websocket connection. The page appears to be the real Doxbin service rather than impersonation, though the content is associated with pastes and potential doxxing activities; this is not credential phishing by itself but is an abuse-prone service known for doxxing-related content.

Evidence Summary

▸Observed 1 capture stage(s); canonical stage is settled_render.

▸Distinctive asset clues: socket.io.min.js, api.js, css2, all.min.css, logo.jpg, gold.gif.

Capture

Stages: 1

Canonical: Settled Render

Changed: No

Credential Signals

Forms: 1

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 23

Hosts: 5

Domains: 4

Suspicious Endpoints

hxxps://doxbin[.]com/api/fetchPastes?page=1

hxxps://doxbin[.]com/home

hxxps://doxbin[.]com/api/fetchStatus

hxxps://doxbin[.]com/api/submitVerificationPrompt?verificationID=${currentVerificationId}&status=${status}

hxxps://doxbin[.]com/api/readNotifications

hxxps://doxbin[.]com/api/managePasteType?action=unseal&pasteID=${pasteId}

Attack Techniques (4)

SPA-like behavior with dynamic assets loaded (socket.io, websocket connection, API endpoints).Use of external scripts and assets to render interactive paste listings (socket.io.min.js, /api/fetchPastes).Turnstile (Cloudflare) CAPTCHA integration for access verification.Websocket-based live updates via /gateway (EIO=4, websocket transport).

Indicators of Compromise (6)

▸Branding visible on page: Doxbin (Home | Doxbin).

▸Endpoints indicating paste service: https://doxbin.com/api/fetchPastes?page=1, https://doxbin.com/api/fetchStatus, https://doxbin.com/api/readNotifications, https://doxbin.com/api/managePasteType?action=unseal&pasteID=${pasteId}.

▸Websocket connection to wss://doxbin.com/gateway/?EIO=4&transport=websocket.

▸Turnstile CAPTCHA integration script from Cloudflare challenges.

▸Static assets and branding in the HTML: logo.jpg, gold.gif, red.gif, purple.gif; CSS files (nav.css, all.min.css), font/audience assets.

▸Page title and navigation indicate a paste/search community service rather than a bank/retailer login.

Risk AssessmentUsed in abuse reports

The site appears to be an operational paste/doxing platform (Doxbin) that hosts pastes and facilitates discovery of content, which is historically associated with doxxing and personal data exposure. While this scan does not show credential harvesting or malware delivery, the observed endpoints (fetchPastes, readNotifications, managePasteType) and the real-time socket connection plus explicit branding constitute a first-party abusive service by nature of content. The presence of a CAPTCHA (Turnstile) and a live, interactive UI suggests legitimate operation of the platform, but its core function and history categorize it as an abuse-prone service rather than a phishing attempt. Action recommendations reflect potential hosting of harmful content rather than credential phishing.

Recommended Action

Monitor

Cross-Reference9

URL Intelligence