# app-dual.pages.dev — SUSPICIOUS

> app-dual.pages.dev is a crypto credential theft domain flagged as a generic phishing site by 1/95 VirusTotal vendors.

## Summary
PhishDestroy identifies app-dual.pages.dev as an active crypto credential theft domain operating under Cloudflare Pages. This fake app clone targets users by impersonating legitimate dual-app interfaces to harvest cryptocurrency wallet credentials and private keys. Security telemetry indicates active deployment of drainer kits designed to siphon funds from compromised wallets upon login. The campaign leverages typosquatting and social engineering to lure victims into entering seed phrases or connecting wallets under false pretenses.  The domain resolves to IP 188.114.97.3 and uses a Let's Encrypt SSL certificate issued through Cloudflare, Inc. VirusTotal analysis shows only 1 out of 95 security vendors currently flag this domain. Registrar data confirms Cloudflare Inc.’s involvement, and the site appears unblocked by Google Safe Browsing as of current scans. The page serves a near-perfect replica of a popular dual-app interface, with malicious JavaScript intercepting clipboard content and wallet connection requests to exfiltrate credentials to a remote endpoint hosted on the same IP subnet.  This domain remains active and poses an elevated risk to cryptocurrency users. Immediate response includes blocking 188.114.97.3 at the firewall, adding app-dual.pages.dev to DNS blocklists, and flagging the associated SSL certificate for revocation. Users are advised to avoid dual-app download links from unofficial sources and verify all crypto wallet connections on open-source explorers. Remaining risk persists due to low VT coverage and reliance on live CDN infrastructure to evade detection.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 188.114.97.3

## Detection Status
- VirusTotal: 1 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/457d2dde-20f8-4182-a658-426934e1255d
- PhishDestroy: https://phishdestroy.io/domain/app-dual.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/app-dual.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/app-dual.pages.dev/
Last updated: 2026-03-31