0/100

low Risk

tr.superbahisofficial.co

https://tr.superbahisofficial.co/

104.21.11.117 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

—

HTTP

200 · 20.6s

SSL

Valid· E7, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Süperbahis I Türkiye'nin Spor ve Casino Lideri"

Save

Domain Intelligence: superbahisofficial.co

Scanned 2 times since May 18, 2026, 08:24 AM UTC

ℹ Low (20)

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

superbahis1669.com

Vendors

29/31

Status

partial

✓ openphish✓ threatyeti✓ apwg✓ avg✓ sophos✗ norton✓ eset✓ google✗ chainpatrol✓ urlabuse✓ microsoft✓ polyswarm✓ yandex✓ avast✓ bitdefender✓ brightcloud✓ apple✓ emsisoft✓ isitphish✓ urlquery✓ cisa✓ spamhaus✓ urlscan✓ phishtank✓ virustotal✓ netcraft✓ drweb✓ phishreport✓ mcafee✓ kaspersky✓ fortiguard

Registered-domain escalation

Submit superbahisofficial.co as the primary IOC, enriched with evidence from hostile subdomains like tr.superbahisofficial.co.

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Superbahis1669.com

Unknown

gambling · 6/3/2026

Summary

The page presents Süperbahis branding in Turkish and appears to be a sportsbook/casino site. However, the final URL shows a different domain (superbahis1669.com/bahis) while the initial host is tr.superbahisofficial.co, and the page title/name aligns with Süperbahis branding. There is strong impersonation signals: the visible branding mimics a well-known betting site, with multiple embedded scripts and resources loaded from the superbahis1669.com domain, including potential credential/capture endpoints. The site uses a fresh Let's Encrypt SSL cert and heavy SPA-like asset loading, with on-page elements and network calls suggesting login/interaction surfaces, but static HTML contains no forms. The combination of domain mismatch, heavy dynamic content, and external endpoints points toward phishing/credential harvesting risk, though definitive credential theft indicators require runtime form presence. Overall indicators support impersonation signals and potential abuse related to credential collection on a cloned betting brand, not a clearly first-party service.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸Content changed across stages: visible text changed materially.

▸POST targets observed during capture: https://va.tawk.to/v1/session/start, https://superbahis1669.com/cdn-cgi/challenge-platform/h/g/jsd/oneshot/825e783f7fae/0.9828335528669454:1779178007:1vPRlbirOcrikDFc_gvRY9kH-xPS_1LBAfcXByjeSRY/9fe1e2758ff0a895.

▸Distinctive asset clues: initialSession.15617de4.js, j.php, superbahis-tr.15617de4.css, css2, v.gif, 168-r-br.svg.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: Yes

visible text changed materially

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 231

Hosts: 12

Domains: 11

Suspicious Endpoints

hxxps://superbahis1669[.]com/api/SessionServices/V1/ServiceV1_5/session/start?domainId=superbahis-tr

hxxps://superbahis1669[.]com/api/ContentServices/V1/ServiceV1_1/seo/adHocRedirects

hxxps://superbahis1669[.]com/api/ContentServices/V1/ServiceV1_1/gateways

hxxps://superbahis1669[.]com/api/ContentServices/V1/ServiceV1_1/footer

hxxps://superbahis1669[.]com/api/ContentServices/V1/ServiceV1_1/hiddenMarkets

hxxps://superbahis1669[.]com/api/ContentServices/V1/ServiceV1_1/promotions?hasUserEverLoggedIn=false&group=promotions

Attack Techniques (2)

Brand impersonation with spoofed styling and brandingSPA-like dynamic content loading (0 static forms; credential capture likely via JavaScript-rendered UI)

Indicators of Compromise (1)

▸Suspicious API endpoints on superbahis1669.com related to sessions, content services, markets (session/start, adHocRedirects, footer, hiddenMarkets, promotions, assets, bets)

Risk AssessmentUsed in abuse reports

The scan evidences strong impersonation signals: the page visually reproduces Süperbahis branding but is hosted at a non-official domain (superbahis1669.com) after redirect from tr.superbahisofficial.co. The HTML contains 0 static forms, but numerous dynamic scripts and API endpoints on the final domain suggest possible credential collection via a SPA. External chat and analytics scripts (Tawk.to, Visual Website Optimizer) are loaded, and there are suspicious POSTs to session-start endpoints. This combination indicates potential phishing infrastructure aiming to harvest user interactions or credentials, though definitive credential capture cannot be proven from static HTML alone. Monitor and consider takedown actions if corroborated by user reports or additional evidence of credential theft.

Recommended Action

Suspend Domain

Cross-Reference9

URL Intelligence