zerophish / console
Register Sign in
URL THREAT INTELLIGENCE · v0.5.0 · OPERATIONAL

The full anatomy of a phishing site,
one URL at a time.

ZeroPhish renders the page, runs twelve detection signals against the DOM, certificate chain, brand fingerprint and threat feeds, and returns a typed verdict. Built for security teams and product engineers.

scan
100 scans / day · free · typical scan 2–4 s ·
try
Result scan 758eb7a4
Scan another →
CACHED Showing previous scan from 1 d ago. Click Reanalyze to run a fresh scan.
PHISHING · HIGH CONFIDENCE

Phishing detected

brand Unknown scan id 758eb7a4 duration 21.33s signals 2 failing / 12
Risk score 0.92
92 / 100 · High risk
Tags
URL anatomy bafkreidgb26kajtcksilisi2oifeijkz3hrctc4n7v2awrlqq4h7yv65le.ipfs.dweb.link
http :// bafkreidgb26kajtcksilisi2oifeijkz3hrctc4n7v2awrlqq4h7yv65le.ipfs . dweb . link /
flagged registered domain path protocol / query
Indicators of compromise 4 · click any row to copy
URL hxxp://bafkreidgb26kajtcksilisi2oifeijkz3hrctc4n7v2awrlqq4h7yv65le[.]ipfs[.]dweb[.]link/
Host bafkreidgb26kajtcksilisi2oifeijkz3hrctc4n7v2awrlqq4h7yv65le[.]ipfs[.]dweb[.]link
Registered domain dweb[.]link
Scan ID 758eb7a4-e44f-4a1b-a0dd-bfd858850080
Detection signals 2 fail · 0 warn · 5 pass
×
Brand typo-squat detected
ipfs ↔ ups · Levenshtein 2 · brand: UPS
critical
Domain age
Awaiting analysis
high
Threat intel blocklists
Awaiting analysis
critical
Credential collection form
No credential collection form on visible content
high
Visual similarity to known brand
Brand presentation matches the registered owner
high
Favicon impersonation
Favicon matches the registered owner
medium
×
SSL certificate
Served over plaintext HTTP
low
DNS reputation
Awaiting analysis
medium
showing 8 of 12 ·
Captured page from scan
no screenshot
screenshot · captured at scan live page render
Brand impersonation visual + DOM analysis

No brand impersonation signals available.

Technical profile resolved at scan time
Host bafkreidgb26kajtcksilisi2oifeijkz3hrctc4n7v2awrlqq4h7yv65le.ipfs.dweb.link
Registered domain dweb.link
Scheme http
ApiFlash Error fetching data
JARM 0d39b39b30d30d37d20320327d20122de7c02fe862e334985aa656e5df0651
Redirect hops 2
Analyst summary AI-generated
Initial scan heuristic + LLM

The page presents itself as a generic “EmailLogin” / “Secure Mail Server” login, but it is hosted on an IPFS dweb link with a randomized identifier. It includes credential-harvesting UX: a visible “Email:” field label and a “pаsswоrd” label plus an instruction/error message (“Please enter your mailbox pаsswоrd to continue.”), all inside a login form.

Key phishing signals include:

  • Suspicious URL/domain: ...ipfs.dweb.link/ with a long hash-like subdomain is not associated with any legitimate email/security provider.
  • Credential capture: presence of password-entry prompt strongly indicates a fake login intended to collect credentials (even though the simplified HTML shows onsubmit="return false;").
  • Obfuscation in text: “pаsswоrd” uses Cyrillic characters (homoglyphs), a common technique to evade detection and confuse users.
  • No verifiable brand: the page does not match any known provider’s branding or domain.

Because the page impersonates an email login flow without belonging to a legitimate provider’s domain, the likelihood of phishing is very high.