EN ES PT

Phishing Analysis

Detailed analysis of captured phishing page

Back to Stats

Visual Capture

Screenshot of xenluck.com

Detection Info

https://xenluck.com/
Detected Brand
Plinko Originals (Gambling Platform)
Country
International
Confidence
100%
HTTP Status
200
Report ID
ea6297b3-ff2โ€ฆ
Analyzed
2026-02-08 18:40

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm Hash Value
CONTENT TLSH
T176E22AB49230D335B1C24BE8DA6425287A5FE1DCD3C695B4E388AF51B0D6CE8D9260CF
CONTENT ssdeep
384:4rAneuATQRhiXkdvNTDhPhLxeAxeDWNW1Tp34PxeeJEmuW3AskmRWcMd:4rAneu5hhPhleMeDGCSPxeeWmHhW

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm Hash Value
VISUAL pHash
c0703d9f4fbc6849
VISUAL aHash
8066e0e070fe7e20
VISUAL dHash
3ccc8aabcbccecc1
VISUAL wHash
8066e66078fe7f60
VISUAL colorHash
30000000038
VISUAL cropResistant
3ccc8aabcbccecc1

Code Analysis

Risk Score 100/100
Threat Level ALTO
โš ๏ธ Phishing Confirmed
๐ŸŽฃ Credential Harvester ๐ŸŽฃ OTP Stealer ๐ŸŽฃ Card Stealer ๐ŸŽฃ Banking ๐ŸŽฃ Personal Info
WebSocket C2

๐Ÿ”ฌ Threat Analysis Report

โ€ข Threat: Phishing attack
โ€ข Target: Users of Plinko Originals
โ€ข Method: Credential harvesting through fake registration form.
โ€ข Exfil: wss://gambler-work.com/api/ws
โ€ข Indicators: Domain age, obfuscation, registration form.
โ€ข Risk: High

๐Ÿ”’ Obfuscation Detected

  • atob
  • eval
  • fromCharCode
  • unescape
  • base64_strings

๐ŸŽฏ Kit Endpoints

  • http://developers.facebook.com/policy/].
  • https://xenluck.com/_next/static/chunks/92148-6f19ac7166461fa8.js
  • https://xenluck.com/_next/static/chunks/49080-aa8410705e183b35.js
  • https://qa.meldcrypto.com/
  • https://xenluck.com/_next/static/chunks/36860-0a9464d566324679.js
  • https://connect.facebook.net/en_US/fbevents.js
  • http://localhost:3001
  • https://xenluck.com/_next/static/chunks/app/(auth)/layout-2f72bfb00bd0ee9b.js
  • https://xenluck.com/_next/static/chunks/58172-2e2ad5efca352ade.js
  • https://xenluck.com/_next/static/chunks/4bd1b696-ad7506e6ce5b48e8.js
  • https://gambler-work.com/api
  • https://gambler-work.com/payser
  • https://xenluck.com/_next/static/chunks/56060-72611dc1ca384f99.js
  • https://xenluck.com/_next/static/chunks/63712-08d55a4030f898f7.js
  • https://react.dev/errors/
  • https://xenluck.com/_next/static/chunks/58733-c5eff74fea05461f.js
  • https://guarda.com/buy/
  • https://www.facebook.com/privacy_sandbox/topics/registration/
  • https://www.facebook.com/tr/
  • https://xenluck.com/_next/static/chunks/31684-5738d0dfaad74be8.js
  • https://exchange.mercuryo.io/
  • https://ramp.network/buy
  • https://changelly.com/buy-crypto
  • https://openocean.banxa.com/
  • https://www.moonpay.com/buy/btc
  • https://nextjs.org/docs/messages/react-hydration-error
  • https://xenluck.com/_next/static/chunks/53331-ed5951db58e70abe.js
  • https://changenow.io/buy/bitcoin
  • https://xenluck.com/_next/static/chunks/app/layout-2344be9881d79b44.js
  • https://xenluck.com/_next/static/chunks/app/not-found-e862b646e1cb1951.js

๐Ÿ“ก API Calls Detected

  • GET
  • POST

๐Ÿ“Š Risk Score Breakdown

Total Risk Score
90/100

Contributing Factors

Domain Age
Domain age is recent (92 days), making it more likely to be malicious.
JavaScript Obfuscation
Obfuscated code indicates an attempt to hide malicious intent.
Registration Form
Requesting email and password is a strong indicator of credential harvesting.
Impersonation
Attempting to impersonate a legitimate service is a high-risk activity.

๐Ÿ”ฌ Comprehensive Threat Analysis

Threat Type
Banking Credential Harvester
Target
Plinko Originals (Gambling Platform) users (International)
Attack Method
Brand impersonation + real-time WebSocket exfiltration + obfuscated JavaScript
Exfiltration Channel
WebSocket (1 endpoints)
Risk Assessment
CRITICAL - Automated credential harvesting with WebSocket (1 endpoints)

โš ๏ธ Indicators of Compromise

  • Kit types: Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info
  • 147 obfuscation techniques

๐Ÿข Brand Impersonation Analysis

Impersonated Brand
Plinko Originals
Fake Service
Gambling registration

Fraudulent Claims

โš”๏ธ Attack Methodology

Primary Method: Credential Harvesting

The site uses a fake registration form to collect user email and password credentials, likely to be used for account takeover or sold on the dark web. The site is related to gambling.

Secondary Method: JavaScript Obfuscation

JavaScript is obfuscated to hide malicious behavior from basic analysis, likely to exfiltrate data, bypass security tools, or redirect to a malicious site. The obfuscation uses atob, eval, and fromCharCode.

๐ŸŒ Infrastructure Indicators of Compromise

๐Ÿฆ  Malicious Files

Main File
fbevents.js
File Size

๐Ÿ”ฌ JavaScript Deep Analysis

Operator Language
English (1%)
Sophistication Level
Basic
Total Code Size
1017.1ย KB

๐Ÿ”— API Endpoints Detected

Other
25
Backend API
1
WebSocket (Real-time)
1

๐Ÿ” Obfuscation Detected

  • : Moderate
  • : Moderate
  • : Moderate
  • : None
  • : Light
  • : Light
  • : Light
  • : Light
  • : Light
  • : Light
  • : None
  • : Light
  • : Light
  • : Light
  • : Light
  • : Light
  • : Light
  • : Light
  • : Light

๐Ÿค– AI-Extracted Threat Intelligence

๐ŸŽฏ Malicious Files Identified

Main Drainer
fbevents.js
File Size
1018KB

Similar Websites

Pages with identical visual appearance (based on perceptual hash)

Screenshot
Unknown - Casino/Gambling related
https://belowin.com/
Feb 28, 2026
No screenshot
Plinko
https://bigwinner.click/
Jan 24, 2026
 Screenshot
Plinko
https://bigmoney.today/
Jan 24, 2026
 Screenshot
Plinko
https://joinbruck.com/
Jan 24, 2026
 Screenshot
Plinko
https://onuxgame.live
Jan 10, 2026
๐Ÿ˜ฐ
"I Never Thought It Would Happen to Me"
That's what 2.3 million victims say every year. Don't wait to become a statistic.