# download-en-faq.pages.dev — SUSPICIOUS

> PhishDestroy identifies download-en-faq.pages.dev as a crypto drainer impersonating support FAQs. VirusTotal shows 0/95 detections. Block immediately and report.

## Summary
PhishDestroy flags download-en-faq.pages.dev as an active crypto drainer campaign masquerading as an English FAQ download portal. The domain leverages Cloudflare Pages hosting to deliver a JavaScript-based cryptocurrency drainer kit targeting unsuspecting users seeking software downloads. No direct brand impersonation was detected in the seed data, but the payload structure aligns with known automated drainer toolkits observed in recent campaigns targeting DeFi users and crypto wallet holders.  

This domain resolves to IP 188.114.96.3 and is registered through Cloudflare, Inc., utilizing a Google Trust Services SSL certificate for added legitimacy. VirusTotal currently shows 0/95 detection engines flagging the domain, indicating a zero-day status with no AV coverage. The domain was created recently under Cloudflare's Pages service, which allows rapid deployment and takedown evasion. No entry was found in Google Safe Browsing (GSB) or major blocklists at the time of analysis, suggesting this infrastructure is newly operational and actively evolving to evade detection.  

The domain remains in active status with under investigation status from multiple threat intelligence sources. Immediate blocking at DNS and network level is recommended due to the high-risk nature of crypto drainers, which silently drain wallets upon interaction. Users are advised to verify download sources manually, use hardware wallets, and monitor transaction alerts. While the current risk is elevated due to zero detection coverage, ongoing monitoring is critical as detection signatures develop.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 188.114.96.3

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/d51c9f78-22a7-4f18-9505-73424f196f93
- PhishDestroy: https://phishdestroy.io/domain/download-en-faq.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/download-en-faq.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/download-en-faq.pages.dev/
Last updated: 2026-04-13