# ca.gov-zae.cfd — MALICIOUS

> ca.gov-zae.cfd impersonates a California government domain to deploy a crypto drainer. Flagged by 13/95 VirusTotal engines.

## Summary
PhishDestroy identifies ca.gov-zae.cfd as an active crypto-draining phishing site masquerading as a legitimate California government portal. Evasion tactics include a superficially valid SSL certificate issued by Let’s Encrypt and registration through Dynadot LLC on March 25, 2026. The domain resolves to IP 43.165.68.78, yet it has already been blocked by OpenPhish and PhishingArmy, and it is flagged by 13 out of 95 VirusTotal security vendors, placing the site at an elevated risk level.  This domain was flagged within hours of creation, highlighting the attacker’s preference for time-boxed campaigns. Registration via Dynadot LLC offers no inherent legitimacy, while the Let’s Encrypt certificate only secures data in transit without authenticating site ownership. The IP address 43.165.68.78 has no established reputation and appears exclusively in this malicious context. With zero trust score across blocklists and a 14% detection rate on VirusTotal, the site demonstrates clear malicious intent—specifically, credential harvesting followed by cryptocurrency fund extraction.  Mitigation against this crypto drainer threat requires user-level controls and network enforcement. Users must refrain from entering any credentials or wallet addresses on ca.gov-zae.cfd. Organizations should block the domain and IP at DNS and firewall layers, referencing the exact indicators—domain, IP, and registrar. For ongoing protection, PhishDestroy recommends continuous monitoring of newly registered .cfd domains that mimic government TLDs.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2026-03-25 17:10:45
- Registrar: Dynadot LLC
- IP: 43.165.68.78

## Detection Status
- VirusTotal: 13 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 2 hits
  Lists: ["OpenPhish", "PhishingArmy"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/551d7aa6-cb19-4f24-b173-c46c6d8ddfd4
- PhishDestroy: https://phishdestroy.io/domain/ca.gov-zae.cfd/
- LLM endpoint: https://phishdestroy.io/domain/ca.gov-zae.cfd/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/ca.gov-zae.cfd/
Last updated: 2026-03-27