ip6.arpa Wildcard Abuse: Hunting Phishing Infrastructure Across IPv6 Prefixes

**Executive Summary:** The report documents active abuse of the ip6.arpa reverse-DNS namespace where attackers add wildcard A records to delegated IPv6 /48 zones to produce per-victim phishing URLs that bypass reputation-based email and URL scanners; a global scan confirmed two active malicious zones (one proxied via Cloudflare, one hosted directly on 85.215.34.119) and identified 384 zones with Cloudflare NS — 382 of which are staged and can be instantaneously weaponized, and the report includes IOCs and practical detection/mitigation recommendations.