# exdsstbfd567yj.shawnie-12.workers.dev — SUSPICIOUS > exdsstbfd567yj.shawnie-12.workers.dev is a credential-stealing phishing page hosted on Cloudflare at 172.67.158.125. ## Summary PhishDestroy identifies exdsstbfd567yj.shawnie-12.workers.dev as an active credential-stealing phishing domain (generic_phishing) with risk level under_investigation. This domain resolves to IP 172.67.158.125 through Cloudflare, Inc., and was registered via Cloudflare’s worker platform. The domain currently holds a valid SSL certificate issued by Google Trust Services (GTS CA 1C3) despite zero detections out of 95 VirusTotal scans as of the seed ab7688. No blocklist citations or trust score metrics are publicly available at this time, leaving its full threat profile unresolved. This domain was flagged under generic phishing for harvesting user credentials under the guise of a legitimate service. Its use of Cloudflare Workers suggests an attempt to evade traditional hosting-based detection while leveraging Google’s trusted CA for spoofed legitimacy. The absence of detections (0/95) on VirusTotal indicates a likely zero-day or highly targeted campaign, further complicating early identification. The registration via Cloudflare’s infrastructure provides anonymity and rapid deployment capabilities, typical of phishing campaigns designed for short operational lifespans. To mitigate exposure to this threat, users must avoid interacting with exdsstbfd567yj.shawnie-12.workers.dev entirely, especially any login prompts or input forms. Organizations should audit outbound traffic for connections to 172.67.158.125 and block this IP at the network perimeter. Given the domain’s low detection rate, proactive threat hunting via DNS sinkholing or behavioral analytics is recommended. Report any suspected interactions to CERT teams or via platforms like PhishTank to expedite domain takedown and update detection signatures. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 172.67.158.125 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/dfedd6c1-d0b9-43d8-9a05-28c3dc3e0d26 - PhishDestroy: https://phishdestroy.io/domain/exdsstbfd567yj.shawnie-12.workers.dev/ - LLM endpoint: https://phishdestroy.io/domain/exdsstbfd567yj.shawnie-12.workers.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/exdsstbfd567yj.shawnie-12.workers.dev/ Last updated: 2026-04-13