0/100

medium Risk

cenat.win

https://cenat.win/

104.21.57.249 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

64 days

HTTP

200 · 40.4s

SSL

Valid· E8, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Cenat: Most Popular Online Crypto Casino Based on Blockchain"

Save

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

Blockchain.com (as implied by page title)

Vendors

26/30

Status

partial

✗ avast✗ avg✓ bitdefender✓ eset✗ norton✓ yandex✓ brightcloud✓ polyswarm✓ sophos✓ microsoft✓ apple✓ openphish✓ isitphish✓ emsisoft✓ urlscan✓ virustotal✓ apwg✓ cisa✓ phishreport✓ netcraft✓ spamhaus✓ urlquery✓ drweb✓ urlabuse✗ phishtank✓ threatyeti✓ kaspersky✓ mcafee✓ google✓ fortiguard

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Blockchain.com (as implied by page title)

Unknown

finance | technology | cryptocurrency · 6/3/2026

Summary

The page cenat.win displays a brand-aligned Crypto Casino theme but the page title explicitly references Blockchain.com, creating a strong impersonation signal on a non-official domain. Domain age is recent (64 days) and the SSL certificate is from Let's Encrypt. The site loads numerous external scripts and tracking endpoints, and the HTML contains no static login form, suggesting a SPA that could render credential capture via JavaScript. Network and resource signals indicate potential credential collection logic embedded in dynamic scripts, and observed POST to a CDN-CGI rum endpoint may be used for analytics or exfiltration. Overall, there is compelling impersonation risk, with signs of credential harvesting potential in an SPA context, albeit not definitively proven from static HTML alone.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸POST targets observed during capture: https://cenat.win/cdn-cgi/rum?.

▸Distinctive asset clues: fbq.js, twq.js, e4fbe028118c5d17.css, d4dbba7cd4889f6e.css, preloader.svg, hat.svg.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 98

Hosts: 4

Domains: 4

Suspicious Endpoints

hxxps://cenat[.]win/api/extra/holiday

hxxps://cenat[.]win/api/extra/pixel

hxxps://cenat[.]win/api/extra/promoIp

hxxps://cenat[.]win/api/mammoth/auth/check

Attack Techniques (3)

Brand impersonation via page title referencing Blockchain.com on a non-official domainSingle-Page Application (SPA) rendering credential capture forms via dynamically loaded JavaScriptSuspicious exfiltration endpoints detected in network activity (e.g., /api/extra/*, /cdn-cgi/rum) and a POST to /cdn-cgi/rum? (204)

Indicators of Compromise (2)

▸Page title impersonates Blockchain.com

▸SPA-style HTML with 0 static login forms in initial markup but likely credential capture via JS bundles

Risk AssessmentUsed in abuse reports

The scan shows explicit impersonation signals (page title referencing Blockchain.com on cenat.win) combined with SPA behavior that could render credential-capture UI via JavaScript. Although no static login form is present in the initial HTML, the heavy use of dynamic scripts, suspicious API endpoints, and ad/tracking integrations suggest potential credential harvesting capabilities. Given the impersonation signals, the domain age, and the exfiltration-oriented network activity, this site should be treated as a high-risk impersonation attempt. Recommend heightened scrutiny and takedown consideration if corroborated by abuse reports.

Recommended Action

Suspend Domain

Cross-Reference9

URL Intelligence