# at-kra32.cc — MALICIOUS

> at-kra32.cc impersonates MetaMask to steal crypto wallet credentials. VirusTotal flags 12/95 vendors. Check the full report.

## Summary
at-kra32.cc is an active phishing domain designed to mimic legitimate cryptocurrency wallet login pages, specifically targeting MetaMask users. The domain lures victims with deceptive branding, presenting a convincing fake interface that captures entered credentials and private keys. Once harvested, these details are likely used to drain cryptocurrency wallets or facilitate further fraudulent transactions. Security researchers have confirmed this domain resolves to IP 188.114.97.3 and is currently blocked by MetaMask’s threat intelligence systems, indicating high-confidence malicious activity.  PhishDestroy identifies this domain as a significant threat, with concrete evidence supporting its malicious nature. The domain was registered on January 23, 2025, through NICENIC INTERNATIONAL GROUP CO., LIMITED, a registrar often associated with high-risk or disposable domains. Security blocklists have flagged this domain once, while VirusTotal reports detection by 12 out of 95 security vendors, reinforcing its elevated risk profile. Notably, the domain leverages a Google Trust Services SSL certificate, which may further deceive users into believing the site is legitimate. The combination of recent registration, low blocklist presence, and partial but consistent vendor detection suggests this phishing campaign is actively evolving.  If you or your users have visited at-kra32.cc, immediately cease any interaction with the site and check your cryptocurrency wallets for unauthorized transactions. Revoke any permissions granted to the domain and reset wallet credentials if exposed. Report the domain to your security team or platform provider (e.g., MetaMask) to ensure broader blocking. Consider running a full malware scan on affected devices, as phishing domains may also deploy additional payloads. Proactively monitor wallet addresses for suspicious activity and enable multi-factor authentication where possible to mitigate future risks.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2025-01-23 20:57:51
- Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED
- IP: 188.114.97.3

## Detection Status
- VirusTotal: 12 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 1 hits
  Lists: ["MetaMask"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/36ce203c-307b-44d1-ba94-6a05ce05bcc1
- PhishDestroy: https://phishdestroy.io/domain/at-kra32.cc/
- LLM endpoint: https://phishdestroy.io/domain/at-kra32.cc/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/at-kra32.cc/
Last updated: 2026-03-26