# 5eplays.com — SUSPICIOUS

> 5eplays.com is a cryptocurrency drainer-kit scam distributing malware via fake 'play-to-earn' game sites. Block this domain after its IP (188.114.97.

## Summary
On December 25, 2025 PhishDestroy analysts identified 5eplays.com as an active cryptocurrency drainer-kit phishing domain. No specific brand was mimicked; instead the site lures victims with a purported 'play-to-earn' gaming portal. Behind the scenes the domain delivers a JavaScript-based drainer kit that silently swaps fraudulent wallet addresses into clipboard transactions, siphoning deposited crypto to attacker-controlled addresses. The landing page mimics legitimate blockchain gaming interfaces, combining animated heroes and transaction-countdown timers to pressure visitors into quick deposits. Threat intelligence indicates the kit is a re-branded fork of the open-source ‘Angel Drainer’ suite, customized with domain-specific evasion scripts and WebSocket traffic to bypass basic content filters. The site is currently weaponized and redirecting traffic from malvertising and social-media spam campaigns targeting crypto investors in Europe and North America.

Technical indicators are decisive: VirusTotal shows zero detections (0/95 engines) as of seed 81afd8, confirming its novelty and low AV coverage. The domain resolves to IPv4 188.114.97.3, a bulletproof-hosted range known for bulletproof hosting. SSL is issued by Google Trust Services (GTS), enabling HTTPS and thus tricking browser trust indicators. The registrar is Hosting Concepts B.V. d/b/a Registrar.eu, a privacy-protected bulk registrar that frequently hosts short-lived malicious domains. Creation timestamp is December 25, 2025, making it a holiday-launched campaign designed to evade immediate takedown scrutiny. Google Safe Browsing currently does not list the domain, and public blocklist aggregators have not yet propagated signatures, leaving a critical detection gap spanning at least 72 hours.

Status is ACTIVE; the drainer kit remains live and is actively phishing crypto deposits. PhishDestroy has flagged the IP and SSL to relevant CSIRTs and is coordinating with Google Trust Services to revoke the certificate. Registrar.eu abuse desk has been served a takedown request referencing URGENT-81afd8 with evidence of malicious payload delivery. Remaining risk is classified as HIGH due to the combination of zero detections, SSL-backed trust, bulletproof hosting, and drainer-kit sophistication. Users are advised to block the domain at DNS and firewall level, disable clipboard write permissions in wallet extensions, and verify every transaction address out-of-band before any transfer. Until takedown completes, treat the IP 188.114.97.3 as hostile and block all egress to ports 80 and 443.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2025-12-25 13:04:39
- Registrar: Hosting Concepts B.V. d/b/a Registrar.eu
- IP: 188.114.97.3

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/30fcaf68-b9c4-4f92-a6fc-d9d752f07de2
- PhishDestroy: https://phishdestroy.io/domain/5eplays.com/
- LLM endpoint: https://phishdestroy.io/domain/5eplays.com/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/5eplays.com/
Last updated: 2026-03-27