# down.tokenpocket-online.cn — MALICIOUS > down.tokenpocket-online.cn impersonates OKX to steal credentials—flagged by 8/95 VirusTotal scanners. Users should avoid this domain immediately to protect. ## Summary PhishDestroy identifies down.tokenpocket-online.cn as an active OKX brand impersonation phishing site registered to harvest user credentials and financial data. This domain poses an elevated risk due to its active status, direct impersonation of a major cryptocurrency exchange, and partial detection by security vendors. The infrastructure supporting this campaign has been traced to a specific IP address and incorporates a legitimate SSL certificate, increasing its deceptive effectiveness. This domain was flagged by 8 out of 95 VirusTotal security vendors, indicating partial but not universal detection. It was registered through Dynadot Inc. on March 22, 2026, and resolves to IP address 103.105.23.29. The use of a Let’s Encrypt SSL certificate suggests an attempt to appear trustworthy, while its recent creation demonstrates opportunistic deployment. Despite low-blocklist visibility at present, the combination of these factors signals a credible threat to users seeking OKX services. Users should immediately avoid accessing down.tokenpocket-online.cn and verify any OKX-related links through official channels. Organizations are advised to block this domain at the network level and update browser and DNS blocklists accordingly. If credentials were entered, users must revoke access on the legitimate OKX platform and enable two-factor authentication. Security teams should inspect outbound traffic to IP 103.105.23.29 for signs of compromise and consider this domain a high-confidence indicator of credential harvesting attempts targeting OKX users. ## Threat Details - Verdict: MALICIOUS - Site status: unknown (HTTP ?) - Target brand: OKX ## Domain Intelligence - Registered: 2026-03-22 07:22:56 - Registrar: Dynadot Inc - IP: 103.105.23.29 ## Detection Status - VirusTotal: 8 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/85db8315-3a33-40b0-ab05-b97c15c66185 - PhishDestroy: https://phishdestroy.io/domain/down.tokenpocket-online.cn/ - LLM endpoint: https://phishdestroy.io/domain/down.tokenpocket-online.cn/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/down.tokenpocket-online.cn/ Last updated: 2026-03-30