# domitoken.cfd — SUSPICIOUS > PhishDestroy identifies domitoken.cfd as an active OKX impersonation domain using a Let’s Encrypt SSL cert. ## Summary PhishDestroy identifies domitoken.cfd as a recently activated domain engaged in brand impersonation targeting OKX, one of the world’s leading cryptocurrency exchanges. This domain was registered on January 05, 2026 through Global Domain Group LLC and immediately provisioned with a Let’s Encrypt SSL certificate to appear legitimate. While no drainer kit artifacts have been recovered at the time of writing, the page structure and visual assets closely mirror OKX’s official branding, indicating a high-fidelity imitation intended to harvest user credentials and two-factor authentication codes under the guise of a “token airdrop” or “deposit portal.” The mimicked interface includes spoofed login forms, withdrawal pages, and KYC prompts—all designed to induce users into submitting sensitive information under false pretenses. The operation appears to be a live campaign rather than a parked or inactive page, with content dynamically loading and updating to evade static analysis. The domain resolves to IP address 188.114.96.3 and remains undetected across 0 of 95 VirusTotal engines as of the latest scan. Global Domain Group LLC, a registrar known for rapid bulk registrations, facilitated the domain’s creation just days ago, leveraging immediate SSL issuance from Let’s Encrypt to build false trust. Google Safe Browsing has not yet flagged this domain, and public blocklists—including PhishTank and OpenPhish—currently report zero detections, placing it in a window of opportunity for threat actors to operate with low interference. WHOIS data is partially redacted, inhibiting rapid attribution, but the registrant’s choice of Global Domain Group LLC aligns with historical patterns seen in short-lived cryptocurrency-themed scam infrastructures. The domain is classified as ACTIVE and under continuous investigation by PhishDestroy’s anti-phishing unit. Immediate mitigation actions include DNS sinkholing and SSL certificate revocation requests to certificate authorities. Users are advised to block the IP 188.114.96.3 at the network perimeter and disable access to domitoken.cfd entirely. While the current risk level is marked as UNDER_INVESTIGATION due to low detection rates, the combination of fresh registration, live SSL, and active content delivery suggests an evolving threat with potential to escalate rapidly. PhishDestroy will update its classification and IOCs as new intelligence emerges, but urges caution: any interaction with this domain—including loading in a sandbox—poses a credible credential theft risk. The safest response is complete avoidance and prompt reporting via official incident channels. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) - Target brand: OKX ## Domain Intelligence - Registered: 2026-01-05 21:47:43 - Registrar: Global Domain Group LLC - IP: 188.114.96.3 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/64f7634f-2152-49a4-ab6b-053275ed6e20 - PhishDestroy: https://phishdestroy.io/domain/domitoken.cfd/ - LLM endpoint: https://phishdestroy.io/domain/domitoken.cfd/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/domitoken.cfd/ Last updated: 2026-03-29