# ca.govzof.shop — MALICIOUS > ca.govzof.shop is a credential theft domain impersonating California (.gov) services, flagged by 16/95 VirusTotal vendors. Avoid entering any data. ## Summary PhishDestroy identifies ca.govzof.shop as an active credential theft domain designed to mimic official California (.gov) services, likely targeting users seeking state-related assistance or resources. The domain employs social engineering tactics to trick victims into submitting sensitive login credentials or personal information, posing a direct risk to account security and identity integrity. No evidence of a crypto drainer kit or branded impersonation beyond the .gov misdirection was observed during forensic analysis. This domain exhibits multiple red flags across technical indicators. It was detected by 16 out of 95 security vendors on VirusTotal and is currently blocked by two prominent blocklists: OpenPhish and PhishingArmy. The domain resolves to IP address 172.67.137.58 and is secured with a Let’s Encrypt SSL certificate, which is commonly abused by threat actors to appear legitimate. The domain was registered through an unspecified registrar and is currently active, with no historical data suggesting prior abuse or takedown. Its recent appearance and low reputation score contribute to an elevated risk classification. As of this report, ca.govzof.shop remains active and poses an elevated threat level. Immediate action is recommended: users should avoid visiting the site, and security teams should block the domain and IP at the network perimeter. Given its SSL certificate and active status, the risk of successful credential theft remains significant. Users who may have interacted with the site should change passwords immediately and monitor accounts for suspicious activity. While blocklists provide some protection, proactive user education and network-level blocking are essential to mitigate ongoing risk from this credential theft campaign. ## Threat Details - Verdict: MALICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: REGISTRAR_NOT_FOUND - IP: 172.67.137.58 ## Detection Status - VirusTotal: 16 vendors flagged - Google Safe Browsing: clean - Blocklists: 2 hits Lists: ["OpenPhish", "PhishingArmy"] ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/ca.govzof.shop - PhishDestroy: https://phishdestroy.io/domain/ca.govzof.shop/ - LLM endpoint: https://phishdestroy.io/domain/ca.govzof.shop/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/ca.govzof.shop/ Last updated: 2026-04-09