0/100

critical Risk

prinvot.com

https://prinvot.com

82.221.129.24 · Icenetworks Ltd

Location

Reykjavik, Iceland

Domain Age

6 days ⚠

HTTP

200 · 15.2s

SSL

Valid· R13, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Prinvot - Send notes that will self-destruct after being read"

Save

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

Prinvot

Vendors

30/31

Status

partial

✓ norton✓ sophos✓ yandex✓ polyswarm✓ drweb✓ bitdefender✓ avast✓ avg✓ brightcloud✓ chainpatrol✓ emsisoft✓ apple✓ urlscan✓ phishtank✗ eset✓ cisa✓ urlquery✓ isitphish✓ openphish✓ apwg✓ phishreport✓ spamhaus✓ netcraft✓ virustotal✓ microsoft✓ urlabuse✓ threatyeti✓ mcafee✓ kaspersky✓ google✓ fortiguard

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Prinvot

Data Harvesting

technology | ecommerce | finance · 4/5/2026

Summary

The page presents Prinvot branding and a note-destruct service, with a password field and an endpoint POST to /rum. Visuals show Prinvot branding (logo, title, colors) on the domain prinvot.com, which appears to be the official site. However, the site collects credentials via a password field and posts data to an internal endpoint, suggesting potential credential collection or exfiltration behavior. The domain is very new (6 days) with a Let's Encrypt cert and external scripts loaded, which may indicate a risk of misuse or rapid deployment. The combination of password input, suspicious POST endpoint, and non-standard external resources raises concerns about data harvesting rather than legitimate operation.

Evidence Summary

▸Observed 2 capture stage(s); canonical stage is settled_render.

▸Canonical stage contains password collection UI.

▸POST targets observed during capture: https://prinvot.com/rum.

▸Distinctive asset clues: TextEncoderLite.js, b64.js, legacy.css, prinvot-logo.svg, privnote-page-flip-30.png.

Capture

Stages: 2

Canonical: Settled Render

Changed: No

Credential Signals

Forms: 1

Password fields: 2

Late-stage login UI: No

Resource Signals

Resources: 25

Hosts: 3

Domains: 3

Suspicious Endpoints

hxxps://prinvot[.]com/

Attack Techniques (5)

Password field present in UIPOST request to /rum (data exfiltration suspe ct)External JavaScript from multiple hosts including potentially tracking/consent scriptsSelf-destruct note service branding aimed at confidentialityNew domain with short lifespan and new SSL certificate

Indicators of Compromise (7)

▸Domain: prinvot.com (new, 6 days old)

▸Password input fields in UI (passwordInputCount: 2)

▸POST to https://prinvot.com/rum (204) – potential data submission

▸External script hosts: clickiocmp.com, cloudflareinsights.com, and local static paths

▸Branding/logo: prinvot with Privnote-like imagery (note: includes privnote-page-flip-30.png)

▸SSL: Let's Encrypt cert issued 6 days ago

▸IP address registered to Iceland (Icenetworks Ltd)

Risk AssessmentUsed in abuse reports

The domain prinvot.com is extremely new (6 days) and uses a password field with a POST request to /rum, which could indicate credential harvesting or data exfiltration in a credential-protected note service. The page uses external scripts from multiple third-party hosts, increasing risk of privacy leakage. While the branding and page title clearly identify Prinvot as a self-destructing notes service, the evidence of a password input UI and a POST endpoint for data collection elevates concern for credential or data harvesting abuse. Recommend monitoring and further domain intelligence checks; consider blocking or suspending if corroborated abuse signals persist.

Recommended Action

Monitor

Cross-Reference9

URL Intelligence