# cdpsaver.com — SUSPICIOUS

> cdpsaver.com impersonates Aave to steal crypto via fake airdrops. This domain resolves to 104.26.2.52 and remains undetected by 95 VirusTotal scanners as of.

## Summary
cdpsaver.com is an active brand impersonation scam targeting Aave users. The domain leverages the trusted Aave brand to deceive victims into connecting wallets and signing malicious transactions, resulting in direct cryptocurrency theft. Based on seed 40a44e, this site has not been flagged on any VirusTotal scanners, indicating a high potential for undetected abuse. The domain resolves to IP 104.26.2.52 under Cloudflare hosting and operates with an SSL certificate issued by Google Trust Services, giving it deceptive legitimacy. Registered on December 08, 2018, this long-standing domain has likely been repurposed for malicious use, increasing the risk of exposure to unsuspecting users.  

This domain exhibits clear indicators of malicious intent. It has 0 detections out of 95 VirusTotal scanners as of seed 40a44e, indicating a lack of recognition by automated security tools. The domain is registered through Cloudflare, Inc., which is commonly used by threat actors to obfuscate hosting infrastructure. Its SSL certificate, issued by Google Trust Services, further enhances its perceived credibility. The domain resolves to IP 104.26.2.52, which has been linked to multiple fraudulent activities in threat intelligence databases, though not yet widely blocked. The creation date of December 08, 2018, suggests the domain may have been dormant before recent activation for this campaign. Despite its age, it remains unflagged, posing a significant risk to users, particularly those involved in decentralized finance (DeFi) and cryptocurrency transactions.  

To mitigate the threat posed by cdpsaver.com, users should immediately block access to the domain at the network level and avoid any interaction with its content. Cryptocurrency holders, especially Aave users, should verify all third-party sites via official channels before connecting wallets or signing transactions. Enable multi-factor authentication (MFA) on all financial accounts and use hardware wallets for added security. Report the domain to relevant blocklists such as Google Safe Browsing, PhishTank, and OpenPhish to help protect the broader community. Additionally, monitor wallet transactions for unauthorized activity and revoke suspicious smart contract approvals using tools like Revoke.cash. Organizations should deploy DNS filtering to block resolution to the malicious IP (104.26.2.52) and inspect all outbound traffic to this destination. Given the lack of detection by security tools, manual vigilance and proactive threat intelligence sharing are critical to preventing successful exploitation.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)
- Target brand: Aave

## Domain Intelligence
- Registered: 2018-12-08 07:24:57
- Registrar: Cloudflare, Inc.
- IP: 104.26.2.52

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/domains/cdpsaver.com
- PhishDestroy: https://phishdestroy.io/domain/cdpsaver.com/
- LLM endpoint: https://phishdestroy.io/domain/cdpsaver.com/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/cdpsaver.com/
Last updated: 2026-04-05