https://sh420real.fans.link/
104.26.14.117 · Cloudflare, Inc.
Toronto, Canada
2497 days
200 · 31.8s
Valid· WE1, Google Trust Services, US
COMPLETED
Registered-domain escalation
Submit fans.link as the primary IOC, enriched with evidence from hostile subdomains like sh420real.fans.link.
No KB/IOK detections were recorded for this scan.
Technology · 7/19/2026
The page presents branding that resembles a personal link hub (SH420REAL) hosted under sh420real.fans.link, with multiple InstaBio-like assets loaded from bio.linkcdn.cc. The page title and assets point to a generic link-in-bio service rather than a well-known brand; however, the visual heavy impersonation signals a potential clone of a popular link-in-bio/Instabio interface. No explicit credential harvesting form is visible in the static HTML, and the form fields are not present in the source; the SPA nature suggests credential UI could be rendered client-side. POST requests to Google Analytics and a second analytics endpoint indicate data collection but do not by themselves prove credential phishing. Overall, evidence shows branding consistent with a clone or spoofed link-in-bio page rather than a definitive first-party abuse, but the strong impersonation cues in the visuals require cautious handling.
Capture
Stages: 3
Canonical: Late Render (+3s)
Changed: No
Credential Signals
Forms: 0
Password fields: 0
Late-stage login UI: No
Resource Signals
Resources: 40
Hosts: 8
Domains: 8
No specific IOCs identified in source
The site uses a visually branded interface that imitates a popular link-in-bio service, hosted on a non-official domain. While there is no static credential form detected in the HTML, the SPA nature and third-party asset loading strongly suggest credential collection could occur via JavaScript-rendered UI. The presence of impersonation cues in visuals, coupled with analytics data collection to Google Analytics and a branded Instabio pathway, indicates potential phishing risk if users are deceived into entering credentials. Recommend ongoing monitoring and confirmation of brand legitimacy; the current data does not definitively show credential harvesting but indicates impersonation risk.
Monitor