0/100

high Risk

tr.ee

https://tr.ee/JJynVJ

151.101.130.133 · Fastly, Inc.

Location

Montreal, Canada

Domain Age

—

HTTP

200 · 20.3s

SSL

Valid· R12, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Just a moment..."

Save

Domain Intelligence: tr.ee

Scanned 2 times since Mar 9, 2026, 01:27 AM UTC

✗ Critical (100)

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

tr.ee

Unknown

technology | finance | ecommerce | gaming · 4/5/2026

Summary

The scan shows a redirect to osrsjagex.gamingvote.com with a page titled 'Just a moment...' and evidence of Cloudflare Turnstile integration. Visual cues in the screenshot suggest a branding overlay that does not match tr.ee, but the final URL and assets indicate a potential impersonation attempt or phishing flow targeting Runescape/League-of-something users. No explicit login form is observed in static HTML, but dynamic SPA behavior is suspected, and the presence of hidden inputs and off-domain endpoints supports credential capture risk.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸POST targets observed during capture: https://osrsjagex.gamingvote.com/cdn-cgi/challenge-platform/h/b/jsd/oneshot/625261456364/0.7817804783352856:1775265325:9lEgtXSj-5PQZIRfZcd_-fz9U1Ge11kUB6c0pOFKFJo/9e6c9fbf4e514a2b, https://osrsjagex.gamingvote.com/cdn-cgi/rum?, https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/flow/ov1/3816313534:1775265324:hslfAZfBa3xclei4K1x-CyS5XnO4iAp5fVLCpU7EMso/9e6c9fc08a917b0b/KzX3tEk_brirpCK5vkYfihafMG9r7816lHZkCcWNGlM-1775267026-1.2.1.1-oo9AbYrGPKfNOjyOTP4IAQuz6zeB40xSDsOTTmVidhG0szpGvs2limtudAqbe3za.

▸Distinctive asset clues: api.js, v8c78df7c7c0f484497ecbca7046644da1771523124516, 1, nIEjzhYK7E1nYHk.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 17

Hosts: 4

Domains: 4

Attack Techniques (1)

Off-domain credential capture flow suspected through dynamic UI rendering

Indicators of Compromise (2)

▸Hidden form inputs detected (credential capture risk) in risk data

▸Domain intelligence hints at possible typosquat similarity to IRS (irs.gov) as a risk factor

Risk AssessmentUsed in abuse reports

The page appears to be hosting a credential collection flow under a domain that visually opposes the tr.ee branding (per the screenshot) and redirects to an external domain under gamingvote.com. The combination of SPA-style credential capture signals, off-domain endpoints, and Cloudflare challenge integration strongly suggests an attempt to harvest credentials or perform brand impersonation. The presence of hidden inputs and dynamic rendering further supports this risk. Recommend treating as high-risk phishing/adversarial impersonation activity and monitor for further abuse. If confirmed, suspend domain or block URL actions should be considered while contacting the registrar for investigation.

Recommended Action

Block URL

Cross-Reference8

URL Intelligence