# expresscp.top — SUSPICIOUS > ExpressCP.top is a crypto drainer impersonating ExpressVPN. Flagged by 1 of 95 VirusTotal vendors. Verify safety now on PhishDestroy. ## Summary PhishDestroy identifies ExpressCP.top as an active crypto drainer domain operating under an elevated threat classification. This domain specifically impersonates ExpressVPN to deceive users into entering sensitive wallet credentials, enabling direct cryptocurrency theft. The domain remains in active status within PhishDestroy’s threat database as of current assessments. This domain was flagged by 1 of 95 VirusTotal security vendors, indicating limited but concerning detection coverage. It resolves to IP address 198.251.84.200, is registered through Spaceship, Inc., and was created on March 13, 2026. The domain utilizes a valid Let’s Encrypt SSL certificate, which may enhance its credibility in phishing campaigns despite its malicious intent. Current blocklist inclusion and trust scores indicate emerging but unmitigated risk. ExpressCP.top is currently active and poses a significant risk to users interacting with deceptive login portals or payment interfaces. Security researchers and users are strongly advised to avoid this domain entirely and verify any suspicious links through PhishDestroy’s threat lookup tool. Block the IP 198.251.84.200 at the network level where possible and report related activities to relevant cybersecurity authorities. Continuous monitoring is recommended due to the domain’s recent creation and low initial detection rate. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registered: 2026-03-13 13:24:14 - Registrar: Spaceship, Inc. - IP: 198.251.84.200 ## Detection Status - VirusTotal: 1 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/9c04b181-c566-4ee8-8300-91c9e594ce9c - PhishDestroy: https://phishdestroy.io/domain/expresscp.top/ - LLM endpoint: https://phishdestroy.io/domain/expresscp.top/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/expresscp.top/ Last updated: 2026-03-23