Is phe18.io safe?

encoded payload

suspicious base64-like blobs detected in page content

malicious redirect

The scanned domain phe18.io serves content that immediately redirects/proxies from phe18.cc. The canonical URL, all internal links, pingback endpoint, RSS feeds, and all asset references point to phe18.cc rather than phe18.io. The scanned domain appears to be a shadow/mirror domain routing traffic to the primary domain without disclosure, a common technique to evade domain-level blocklists. (location: page.html:8 (pingback), page.html:15 (canonical href=https://phe18.cc/), page.html:20 (og:url), metadata.json (url=https://phe18.io vs content canonical=https://phe18.cc))

malicious redirect

External JavaScript loaded from third-party domain axx.hellobabygirl.live — an opaque, unverifiable domain serving a script named adx_phe18.js with full DOM access. This script is loaded with no integrity (SRI) hash and executes in the page context, capable of injecting redirects, harvesting clicks, or loading further payloads. The domain name pattern (axx + suggestive subdomain) is consistent with ad-fraud or malvertising infrastructure. (location: page.html:1469 (https://axx.hellobabygirl.live/axx/js/adx_phe18.js), page.html:34 (dns-prefetch for //axx.hellobabygirl.live))

hidden content

Tag links are dynamically injected via jQuery AJAX from the WordPress REST API (wp-json/wp/v2/tags). Tags beyond the first 10 are rendered as anchor elements with class 'hidden_tags' and immediately hidden via jQuery .hide(). This technique allows the site to serve hidden hyperlinks to search engine crawlers and AI agents that do not execute JavaScript, while concealing them from human visitors — a classic SEO cloaking and hidden-link injection pattern. (location: page.html:366-409 (script block injecting hidden_tags anchors), page.html:389 ($('a.hidden_tags').hide()))

social engineering

The 'Upload video' button in the header and mobile sidebar navigation links directly to https://tuoi69hd.net/myacount/?action=register — an external domain's user registration page. This cross-site registration link is presented as a native site feature, luring users to create accounts on a separate, unvetted third-party adult site without clear disclosure that they are leaving phe18.io/phe18.cc. (location: page.html:265-266, page.html:1337-1338)

brand impersonation

The site impersonates or aggregates brand identities of well-known adult platforms (Pornhub, Xhamster, XNXX, Xvideos, Tube8, Bangbros, Chaturbate, Rule34) as navigation category labels, creating the false impression of affiliation with or authorization by those brands. This is a common pattern on piracy/scraper sites to attract search traffic and deceive users into believing they are accessing official content. (location: page.html:230-245 (menu items for Xhamster, XNXX, Xvideos, Tube8, Bangbros, Chaturbate, Rule34, Pornhub), page.html:1394-1409)

hidden content

All thumbnail images are loaded as 1x1 transparent SVG placeholders in the src attribute, with the real image URL stored in the data-src attribute for lazy loading. While this is a standard performance technique, it also means the real image URLs and content are not visible to non-JavaScript crawlers or AI agents parsing the raw HTML, creating a discrepancy between what an agent sees and what a human browser renders. (location: page.html:434, 458, 482, 506, etc. (all post thumbnail img tags with src=data:image/svg+xml placeholder and data-src pointing to real image))

hidden content

HTML comment at the very end of the page leaks internal server-side cache metrics including hit/miss ratios, store read/write counts, SQL query counts, and millisecond timing data. This information disclosure could assist attackers in fingerprinting the caching infrastructure (object-cache-pro with phpredis client) and planning timing-based or cache-poisoning attacks. (location: page.html:1484 (<!-- plugin=object-cache-pro client=phpredis metric#hits=8230 ... -->))