Top 12 favicon clusters
41,527
Single-FP network
328,230
CF-confirmed phishing
2,062
Top 8 server FPs (domains)
775,710
Favicon Cluster Analysis — Top 12 Operators
MurmurHash3 of /favicon.ico bytes. Identical hash = identical favicon = same operator. Each card is a distinct criminal network. Favicons loaded live via Google favicon proxy from representative sample domains.
428694214
redirect_external 2,607
empty 2,115
low_content 429
Sample IOCs
18jms.sbs
hsh9.hair
ccjapian.sbs
seaige.hair
+5,147 more
-606577425
active_content 3,822
empty 52
low_content 39
Sample IOCs
91jq157jq.work
91jq178jq.work
91jq186jq.work
91jq187jq.work
+3,911 more
-186475843
active_content 3,738
empty 81
low_content 32
Sample IOCs
337bj24.xyz
qpp91qpp.xyz
qqd8qqd.xyz
qqp3qqp.xyz
+3,854 more
1108795842
empty / Login page 3,726
All 3,726 domains serve an identical credential-harvesting “Login” page. 200+ global brands targeted.
Sample IOCs
turangiqjplzn.com
adidas-eg-tkwse.icu
aeroflot-jqvzmla.rest
afterpay-blqzen.rest
+3,722 more
-1901236982
active_content 2,646
low_content 102
empty 48
Sample IOCs
332t332.xyz
332y332.xyz
335a335.xyz
336f336.xyz
+2,794 more
-1854647327
active_content 2,225
active_with_forms 59
redirect_external 53
NEGO / BOLA Network
nego178.com
bola108.org
anda89.com
apidewa99.com
+2,337 more
84092912
active_content 2,243
redirect_external 53
APACE / KOMPAK Network
apace99.com
kompak138.org
mafiabola99.org
mentos69.org
+2,292 more
-143797184
active_content 2,244
redirect_external 34
Kimmikka / Puputoto Network
kimmikka.com
puputoto.net
kudawinx.com
lalatwin.com
+2,274 more
1311399074
active_content 1,712
redirect_external 53
Pio4D / Politogel Network
pio4d.net
piototo.net
politogel.net
yang4d.net
+1,763 more
1280084436
active_content 1,143
active_with_forms 559
redirect_external 40
IBUKOTA / IX88 Network
ibukota33.org
ix88.org
bosslot168.net
dewi168login.com
+1,738 more
661119750
active_content 1,656
redirect_external 41
JIWA4D / Made4D Network
jiwa4d.net
made4d.net
gio4d.org
luxury178.org
+1,693 more
2072365914
redirect_external 1,416
active_with_forms 102
Sample IOCs
csav4.help
ggmt7.skin
hchs2.skin
dahaiav5.help
+1,514 more
Server Fingerprint Analysis
SHA-256 of (Server + X-Powered-By + ETag response headers), truncated to 12 hex chars. Identical fingerprint = same server configuration = one operator or shared infrastructure.
Critical finding: Fingerprint
811e0897f489 appears on 328,230 domains — 9.7% of the entire scanned set. Of these, 2,062 are independently confirmed as phishing by Cloudflare. This is the largest single-infrastructure abuse operation identified in this dataset.
| # | Fingerprint | Domains | % Scanned | Classification | Sample Domains | Scale |
|---|---|---|---|---|---|---|
| 01 | 811e0897f489 | 328,230 | 9.7% | 2,062 CF-phishing |
wtfporn.sbs
raffi777hunter.com
hadiahutama.life
cmhqqlxu.info
radome49.sbs
|
|
| 02 | c7d46cc45975 | 126,956 | 3.7% | unclassified | hanime2.sbs |
|
| 03 | d8c33640a2fc | 96,493 | 2.8% | adult / gambling |
pokerasik.com
qq888jp.com
noho.top
wyylde.top
|
|
| 04 | 4492f7f3e69c | 56,242 | 1.7% | unclassified | cookwaris.com |
|
| 05 | d035bde8b6a8 | 51,490 | 1.5% | parking / redirect |
wickedpaedia.com
wickedpediame.com
|
|
| 06 | 0e4ae99dea17 | 47,765 | 1.4% | unclassified | — |
|
| 07 | 24be2aa9d598 | 36,018 | 1.1% | unclassified | wifehaose.com |
|
| 08 | 310865488d64 | 32,786 | 1.0% | Indonesian gambling |
china21a.com
crown-128.com
cipung222.com
coin-333.com
|