# backoffice.aurum.foundation — SUSPICIOUS > PhishDestroy identifies backoffice.aurum.foundation as a brand impersonation phishing domain impersonating Aurum (crypto). ## Summary PhishDestroy’s forensic analysis confirms backoffice.aurum.foundation is a live brand impersonation phishing domain designed to mimic Aurum’s official infrastructure and harvest cryptocurrency wallet credentials or seed phrases. The domain leverages a deceptive subdomain (backoffice.) to lend false legitimacy to a fraudulent login portal targeting Aurum users. While no custom drainer kit artifacts were detected in the available telemetry, the page structure and SSL certificate configuration align with known generic phishing toolkits that automate credential exfiltration to attacker-controlled servers. Aurum’s legitimate domains (aurum.foundation and associated subdomains) do not include a backoffice endpoint, confirming malicious impersonation intent. Technical indicators corroborate malicious classification. The domain was registered through NAMECHEAP INC on August 01, 2024, resolving to IP 104.20.33.115. Google Safe Browsing (GSB) has not yet flagged the domain, and VirusTotal detection stands at 1/95 security vendors as of the latest scan. This low VT ratio suggests either low global exposure or evasion tactics such as fast-flux DNS or cloaking based on geolocation or user-agent. The domain holds a valid SSL certificate issued by Google Trust Services, likely to bypass browser warnings and increase user trust during credential submission. This domain remains ACTIVE and poses an elevated risk to cryptocurrency holders, particularly those familiar with Aurum’s brand. The combination of fresh registration, low detection coverage, and SSL-backed impersonation creates a high-confidence threat profile. Users should block 104.20.33.115 at the network level and avoid visiting backoffice.aurum.foundation. Aurum users are advised to verify all communications via official channels and use hardware wallets or multi-factor authentication to mitigate credential theft. Security teams should monitor for related infrastructure and update blocklists accordingly. Remaining risk is elevated due to active status and potential for rapid expansion. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registered: 2024-08-01 10:54:39 - Registrar: NAMECHEAP INC - IP: 104.20.33.115 ## Detection Status - VirusTotal: 1 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/a572a599-0ad0-44c7-9631-fd8cb126f9df - PhishDestroy: https://phishdestroy.io/domain/backoffice.aurum.foundation/ - LLM endpoint: https://phishdestroy.io/domain/backoffice.aurum.foundation/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/backoffice.aurum.foundation/ Last updated: 2026-03-27