# cyrexmodes.to — SUSPICIOUS > cyrexmodes.to is a malicious site masquerading as a fake Cyrex Modes crypto wallet; steals crypto via drainer kit. Block now: domain resolves to 185.178.208.138. ## Summary cyrexmodes.to has been flagged under active investigation for deploying a generic phishing drainer kit purporting to be a legitimate Cyrex Modes cryptocurrency wallet interface. The site mimics familiar crypto-branded UI cues to dupe victims into connecting wallets and signing malicious transactions. Security telemetry confirms an ongoing campaign aimed at cryptocurrency holders seeking discounted software or tooling. cyrexmodes.to was registered through the Government of the Kingdom of Tonga on March 28, 2026. It currently shows a VirusTotal detection ratio of 0 out of 95 engines as of seed 861da0, indicating zero detections despite active phishing behavior. The domain resolves to IP address 185.178.208.138 and operates under a Let's Encrypt SSL certificate, increasing perceived legitimacy. At present, this domain remains unlisted on Google Safe Browsing (GSB) and has not yet accumulated blocklist entries in major threat intelligence feeds, providing it a window of opportunity to attract victims. As of this report, the status of cyrexmodes.to is marked active and under active monitoring. Immediate user action includes blocking the domain at DNS and firewall levels, flagging the associated IP in network rules, and alerting cryptocurrency communities via trusted channels. Remaining risk remains HIGH due to zero AV detections and absence from public blocklists, meaning an expanding victim base is highly likely. Users are advised to avoid clicking links or downloading executables from this domain and to verify software sources through official channels only. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registered: 2026-03-28 12:40:18 - Registrar: Government of Kingdom of Tonga - IP: 185.178.208.138 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/cyrexmodes.to - PhishDestroy: https://phishdestroy.io/domain/cyrexmodes.to/ - LLM endpoint: https://phishdestroy.io/domain/cyrexmodes.to/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/cyrexmodes.to/ Last updated: 2026-04-05