# began-wallet-rayiidum.pages.dev — SUSPICIOUS > began-wallet-rayiidum.pages.dev operates as a crypto drainer, detected by 2/95 VirusTotal vendors. Block this malicious domain immediately to secure funds. ## Summary PhishDestroy identifies began-wallet-rayiidum.pages.dev as an active crypto drainer domain with an elevated risk profile. This Pages.dev subdomain is designed to deceive users into authorizing fraudulent cryptocurrency transactions via spoofed wallet interfaces or transaction approvals, resulting in asset theft. The threat is ongoing and poses immediate danger to users engaging with wallet-related services through this domain. Security researchers traced this campaign using seed a54422 to monitor its infrastructure and propagation. This domain was registered through Cloudflare, Inc., leveraging their Pages.dev platform for hosting. It resolves to IP address 188.114.97.3 and is secured with a Google Trust Services SSL certificate, which may be used to falsely reassure visitors of its legitimacy. Notably, VirusTotal flags this domain with a detection ratio of 2 out of 95 security vendors, indicating low but present recognition within the security community. While the domain is relatively new, its categorization as a crypto drainer and association with seed a54422 suggest a targeted campaign against crypto users. The use of a reputable hosting provider and SSL certificate reflects tactics commonly employed by threat actors to evade detection and build trust with potential victims. Mitigation against crypto drainers like began-wallet-rayiidum.pages.dev requires proactive defensive measures. Users should immediately block the domain at the network level using DNS filtering or local hosts file entries. Cryptocurrency users must verify all transaction requests in a secure, isolated environment and never approve unsolicited approvals or transfers. Organizations should deploy endpoint protection that monitors for anomalous wallet behavior or unauthorized access to private keys. Security teams are advised to integrate threat intelligence feeds that include seed a54422 to detect similar campaigns early. Additionally, public awareness campaigns should highlight red flags such as unexpected wallet connection requests or domains hosting wallet-related services on Pages.dev, a known platform misused by threat actors. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 188.114.97.3 ## Detection Status - VirusTotal: 2 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/38890661-fc34-487f-83b0-e927b2006027 - PhishDestroy: https://phishdestroy.io/domain/began-wallet-rayiidum.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/began-wallet-rayiidum.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/began-wallet-rayiidum.pages.dev/ Last updated: 2026-04-12