a month ago
Hello Railway Team,
I am reporting two active phishing projects currently deployed on your platform targeting Venezuelan banking customers.
Note: URLs defanged to prevent accidental clicks. Screenshots attached.
ACTIVE PHISHING DOMAINS:
1. hxxps://creditosmercantilve[.]up[.]railway[.]app/
hxxps://creditsmercantil[.]up[.]railway[.]app/
- Impersonates: Mercantil C.A., Banco Universal (RIF: J-00002961-0)
- Fully cloned login portal stealing credentials
- Real-time victim control panel: /load.php?id=[hash]&check=1 - Operator manually redirects victims in real time
- Confirmed active: April 12, 2026
THREAT ACTOR:
- Telegram: @PHP_GOTY
- GitHub: github[.]com/PHPGOTY666
- Actor signed source code with Telegram handle in ASCII art comment inside load.php
REQUESTED ACTION:
Immediate takedown of both projects and suspension of the associated Railway account.
Attachments
3 Replies
Status changed to Awaiting Railway Response Railway • about 1 month ago
a month ago
Hi,
We have taken the offending service offline. Thanks for reporting, and keep it coming!
Best,
The Railway Team
Status changed to Awaiting User Response Railway • about 1 month ago
a month ago
Hi,
We have taken the offending service offline. Thanks for reporting, and keep it coming!
Best,
The Railway Team
a month ago
Thanks for the detailed report. Both domains have been flagged and the associated accounts are being taken down. For future abuse reports, you can also email abuse@railway.com directly.
Status changed to Solved brody • about 1 month ago