# at-krab2.ru — SUSPICIOUS

> AT-KRAB2.RU identified as active crypto drainer phishing domain with 0/95 VirusTotal detections. Avoid interaction and report immediately.

## Summary
PhishDestroy identifies active crypto drainer domain AT-KRAB2.RU operating under threat type generic_phishing with risk level under_investigation. This domain was flagged on January 08, 2026, and resolves to IP 104.21.5.128 registered through RU-CENTER-RU. VirusTotal confirms 0 detections out of 95 engines, indicating a newly emerged threat with no current blocklist coverage.  The domain AT-KRAB2.RU poses a direct risk to cryptocurrency users through its deployment as a crypto drainer, designed to silently exfiltrate funds from connected wallets. Technical analysis shows the domain leverages a valid SSL certificate issued by Google Trust Services, increasing its credibility and potential for successful deception. With zero detections on VirusTotal and no historical blocklist presence, this phishing infrastructure remains undetected by mainstream security measures. The domain’s recent creation date and use of a legitimate certificate provider suggest an advanced, possibly automated campaign targeting unsuspecting users.  Users who visited AT-KRAB2.RU should immediately disconnect any cryptocurrency wallets from their browsers and revoke any previously granted permissions. Conduct a full wallet audit, checking for unauthorized transactions or drained assets. Report the domain to your antivirus provider and consider blocking 104.21.5.128 at the network level. If funds were stolen, file a report with local law enforcement and your country’s financial cybercrime unit. Stay alert for follow-on phishing attempts, as compromised users may be targeted again.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2026-01-08 18:16:11
- Registrar: RU-CENTER-RU
- IP: 104.21.5.128

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/5660bc3a-33be-416c-9b40-f00066557ab7
- PhishDestroy: https://phishdestroy.io/domain/at-krab2.ru/
- LLM endpoint: https://phishdestroy.io/domain/at-krab2.ru/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/at-krab2.ru/
Last updated: 2026-03-28