# app.moon.villas — SUSPICIOUS > PhishDestroy identifies active crypto drainer on app.moon.villas resolving to 216.150.16.65. VT score 0/95. Check the full report. ## Summary PhishDestroy identifies app.moon.villas as an active cryptocurrency drainer campaign under investigation since seed 739c5a. The domain mimics a legitimate villa booking service to trick victims into connecting wallets and approving malicious token transfers. No specific brand or drainer kit has been attributed yet, but infrastructure overlaps with known fake booking portals observed in Southeast Asia phishing clusters. The page title and SSL certificate (Let’s Encrypt) are consistent with operational phishing pages designed to appear credible during initial access. Further behavioral analysis is ongoing to map this campaign to a wider threat actor group or infrastructure family. This domain was flagged by PhishDestroy with the following technical indicators: VirusTotal detection score of 0/95 as of the latest scan, hosted on IP 216.150.16.65, using a Let’s Encrypt SSL certificate issued to app.moon.villas. The domain is registered via NameBright.com and was created on March 12, 2024. Google Safe Browsing (GSB) has no current blocklisting, and third-party threat intelligence platforms show zero prior detections. The domain is currently resolving and actively serving a spoofed booking interface that prompts wallet connections under the guise of “secure payment processing.” The campaign is classified as ACTIVE with a risk level of UNDER_INVESTIGATION. PhishDestroy has initiated takedown coordination with hosting provider Liquid Web and SSL issuer Let’s Encrypt. Users are advised to block the domain at network and endpoint levels and avoid interaction. While the immediate risk is elevated due to active hosting and lack of signature-based detection, the absence of prior abuse history suggests opportunistic deployment rather than sustained targeting. Remaining risk includes potential pivoting to similar domains under the moon.villas namespace. Users should monitor wallets for unauthorized token approvals or transfers and report suspicious domains via PhishDestroy’s portal. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) - Page title: app.moon.villas ## Domain Intelligence - Registrar: REGISTRAR_NOT_FOUND - IP: 216.150.16.65 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/fa877aae-a0c0-4bfc-8c87-7b077341180f - PhishDestroy: https://phishdestroy.io/domain/app.moon.villas/ - LLM endpoint: https://phishdestroy.io/domain/app.moon.villas/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/app.moon.villas/ Last updated: 2026-03-24