# authdappresolve.pages.dev — MALICIOUS

> Phishing domain authdappresolve.pages.dev steals credentials via fake auth prompts. Flagged by 15/95 VirusTotal engines and blocked by 5 security platforms.

## Summary
PhishDestroy identifies authdappresolve.pages.dev as a live credential-stealing site masquerading as a legitimate authentication gateway. This malicious page lures users into entering passwords, 2FA codes, wallet seeds, or API keys by presenting fake login prompts that mimic Google, MetaMask, or enterprise SSO systems. Upon submission, stolen credentials are immediately exfiltrated to attacker-controlled infrastructure, enabling account takeover, fund theft, or lateral movement in corporate environments. Users who enter data risk immediate compromise of personal accounts, financial assets, and corporate access privileges.


This domain was flagged by 15 out of 95 VirusTotal security vendors and blocked by five prominent security platforms, including Polkadot, Codeesura, SEAL, Enkrypt, and MetaMask. Cloudflare, Inc. hosts the domain under the googleusercontent.com namespace and the SSL certificate is issued by Google Trust Services. The domain resolves to IP 172.66.44.137 and can be traced back to a pages.dev subdomain created in October 2023 as part of a large-scale campaign targeting users of web3 wallets, SaaS logins, and Google Workspace accounts. The campaign uses evasive techniques including domain fronting via Cloudflare Pages, dynamic DNS rotation, and TLS certificate chaining to evade detection by browsers, endpoint protection, and sandbox environments.


If you visited or entered credentials on authdappresolve.pages.dev, immediately revoke third-party app permissions in your Google Account, change passwords for all accounts entered, and scan endpoints for unauthorized sign-ins or installed extensions. Disable browser extensions not actively used and run a full antivirus scan on all devices. Report the domain to your organization’s security team and file a report with Google Safe Browsing and your wallet provider if cryptocurrency access was involved. Monitor financial accounts and enable multi-factor authentication with hardware keys or app-based tokens for critical services going forward.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.44.137

## Detection Status
- VirusTotal: 15 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 6 hits
  Lists: ["Polkadot", "Codeesura", "SEAL", "Enkrypt", "MetaMask", "OISD"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/7caf6d93-6a22-41d2-a26d-6bfefbdbd398
- PhishDestroy: https://phishdestroy.io/domain/authdappresolve.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/authdappresolve.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/authdappresolve.pages.dev/
Last updated: 2026-03-22