April 2026 Round 3 Investigation: Global #3 Worst Registrar, UK Shell Company Proof & Connected Ecosystem
PhishDestroy's analysis of 342 million domains across 104 registrars ranks UltaHost as the #3 highest-risk registrar in the world. UK Companies House records prove the shell company structure. This is the most comprehensive evidence compilation to date.
1. UltaHost is Ranked #3 Worst Registrar Globally
PhishDestroy Registrar Risk Statistics — analyzing 342 million domains across 104 registrars
Only two registrars scored worse:
UltaHost ranks WORSE than:
- • Nicnames (#5 — 60/100)
- • Unstoppable Domains (#6 — 53/100)
- • NiceNIC (#7 — 53/100, the registrar PhishDestroy already called “powering global cybercrime”)
- • Dynadot, Cloudflare, Namecheap, GoDaddy — all scored dramatically better
UltaHost Risk Breakdown
Top countries: Germany (3,175), US (2,552), Czechia (801), Singapore (633), Canada (540)
This is the single most damning independent data point: a cybersecurity organization that analyzes every major registrar on earth places UltaHost in the top 3 worst of 104 analyzed.
Source: phishdestroy.io/registrar-stats/
2. UK Shell Company Proof — Definitively Links UltaHost to Turkey
ULTAHOST LTD, UK Companies House Company No. 14567126
This publicly verifiable UK government record conclusively proves the HostScore reviewer's claim that UltaHost is “Turkish people with scam companies pretend names in the UK and US stealing money”:
This means the entire multimillion-dollar UltaHost operation's UK arm is a one-person shell with £10,000 in capital, directed from a Turkish apartment, wholly controlled by a single individual.
Combined with the Delaware “registered agent” address (651 N Broad St Suite 206 — a mass-corporate-services address) and the confirmed Turkish phone number (+90 555 000 0111), this fully proves UltaHost is operationally Turkish while using US and UK shell structures for legitimacy.
3. Elin Doughouz — Multiple Aliases & Russian Birthplace
Crunchbase and ZoomInfo data reveal significant obscured-identity details:
Multiple publicly used aliases combined with a shell-company UK entity, a registered-agent Delaware address, and a Turkish home address constitutes a clear pattern of identity and jurisdictional obfuscation.
4. UltaHost Runs Its Own Autonomous System — 49,239 Domains Hosted
ASN: AS214036 (ULTAHOST-AS) — assigned by RIPE NCC on October 15, 2024.
CRITICAL:BGP.HE.net reports “AS214036 announces bogons” — bogons are invalid/unassigned IP ranges that legitimate networks should never advertise. Announcing bogons is a network hygiene failure strongly associated with spam-friendly and abuse-friendly infrastructure providers.
German IP range 84.200.154.0/24 via First Colo GmbH (Frankfurt) — abuse contact [email protected], confirming the Frankfurt operation despite the Delaware paper address.
5. WoWonder Backdoor Scandal — Connected Scam Operation
The Doughouz brothers don't just run UltaHost. They've been running what appears to be a coordinated scheme across multiple products. Their CodeCanyon brand “DoughouzForest” (9,982 purchases across 6 products) sells PHP scripts that cybersecurity professionals publicly accuse of containing backdoors.
“Scam site. It has backdoors, and creates automatic accounts on the site to publish ads after you purchase it for a period of time.”
— WoWonder Trustpilot review
“These scammers have a back door in their script and hacked my site repeatedly blaming it on my host trying to get me to pay them money to use their host. TOTAL SCAMMERS! Any script with back doors is not secure! ... They cost me millions of dollars as they injected viruses in hundreds of my sites on my server.”
— WoWonder Trustpilot review
“I am associated with cyber security and w9wonder [sic] guys have developed really good script I can say but on other side what they have done is created and left backdoors in script means they can access your service anytime without your permission.”
— WoWonder Trustpilot review
The Chain-of-Harm Pattern
- 1.Customer buys WoWonder script from DoughouzForest
- 2.Alleged backdoors allow unauthorized access
- 3.Site gets hacked
- 4.Scammer blames the customer's hosting provider
- 5.Customer gets upsold UltaHost as the "secure solution"
- 6.UltaHost then proceeds to provide the poor support documented in our existing evidence
The DoughouzDark account on CodeCanyon adds even more products. This is not an isolated hosting company — it's a connected ecosystem of alleged frauds run by the same brothers.
6. Hosting Industry Openly Categorizes UltaHost as “Bulletproof Hosting”
HostAdvice — a mainstream hosting-review directory — now explicitly lists UltaHost in their “Best Bulletproof Hosting Services by Reddit (Jan 2026)” guide:
“Ultahost is renowned for offering robust hosting services that ensure maximum uptime and security. Catering to clients who require high levels of anonymity and protection from DDoS attacks, Ultahost provides an excellent solution for businesses and individuals needing resilient and secure hosting.”
“Ultahost also offers flexible payment options, including cryptocurrencies, which add an extra layer of privacy for clients.”
— HostAdvice
The industry is openly marketing UltaHost to the very demographic that buys bulletproof hosting — those needing to hide identity and evade takedowns.
7. Criminal Domains Hosted/Registered by UltaHost
PhishDestroy's database contains 728 flagged UltaHost-registered phishing domains. Categorized sample showing the breadth of criminal operations:
Bank Impersonation Phishing
Web3/Crypto Wallet Phishing (Wallet Drainer Sites)
Airdrop Scams (Fake Crypto Giveaways)
Token Presale Scams (Fake ICO Infrastructure)
Investment Fraud / Trading Scams (Pig Butchering Infrastructure)
Trading Platform Fraud
Government Impersonation Fraud
Meeting Phishing & Generic Scam Infrastructure
8. Updated Phishing Statistics
PhishDestroy data as of April 18, 2026:
| Total flagged phishing domains | 728 |
| Formal abuse reports sent | 433 |
| Still alive | 245 (33.7%) |
| Taken down | 452 |
| Active after report | 57–58% |
| VirusTotal confirmation | 98.4% |
| Domains with VT ≥ 5 | 293 |
Wallet Drainer Malware (system-wide counts)
Brands Most Impersonated (system-wide)
Scam Categories
9. The “Registrar Liability” Legal Angle
PhishDestroy's investigation “When Abuse Reports Go Nowhere” establishes a powerful legal principle directly applicable to UltaHost:
“Once the registrar receives the report, they are no longer ignorant. They have been informed, with evidence, that a domain under their control is being used to steal money, credentials, and identities. From that moment, continued inaction is not negligence — it is a conscious decision to allow harm.”
“Is the registrar willing to accept liability for every dollar stolen through a domain they were warned about? Is the registrar prepared to compensate victims who lost funds after the abuse report was filed and ignored?”
PhishDestroy's public destroylist (hosted on GitHub) creates a timestamped public record — the exact moment UltaHost was notified of each malicious domain is now part of the public court record for any future victim lawsuit.
10. The Upstream Carriers Enabling UltaHost
Seven networks provide upstream connectivity to UltaHost's AS214036. These companies could cut off UltaHost tomorrow:
The Dutch carriers Netrouting and Asimo Networks, plus Frankfurt's First Colo GmbH (handling the 84.200.154.0/24 IP block), form the backbone of UltaHost's actual physical infrastructure. Pressuring these upstream carriers is a concrete leverage point because they can face their own abuse complaints for knowingly routing traffic from a PhishDestroy-confirmed #3 worst registrar.
Source: bgp.tools/as/214036
11. Action Steps & Leverage Points
UK Companies House Complaint
ULTAHOST LTD is a £10,000 shell with a Turkish resident director running a multimillion-dollar fraud-enabling operation. UK anti-money-laundering and shell company regulations may apply.
HMRC / UK Tax Scrutiny
The UK company's actual revenue reality vs. £10,000 capital filing may warrant scrutiny.
RIPE NCC Complaint
AS214036 'announces bogons,' a network-hygiene violation of RIPE policy.
Upstream Carrier Complaints
Netrouting B.V. and Asimo Networks B.V. in the Netherlands can be directly pressured via their own abuse channels.
First Colo GmbH (Frankfurt) Abuse
Handles the 84.200.154.0/24 IP block. Directly addressable at [email protected].
Envato / CodeCanyon Abuse Report
DoughouzForest's 9,982-purchase account with documented backdoor allegations should face Envato scrutiny.
Turkish Authorities
A Turkish resident running UK and US shell companies to deliver services that Turkey's own authorities may find concerning.
PhishDestroy Cross-Reference
UltaHost is in the same category as NiceNIC and NameSilo (both PhishDestroy-exposed). An equivalent UltaHost-specific deep-dive is the logical next escalation.
12. Complete Source List — Round 3
UK Government Records
Network / BGP Evidence
PhishDestroy Intelligence
Doughouz Brothers / WoWonder
Bulletproof Hosting Classifications
Compiled April 20, 2026. All information publicly sourced for accountability journalism purposes.