# galaxyfox-io-presalestokenclaim.pages.dev — SUSPICIOUS

> galaxyfox-io-presalestokenclaim.pages.dev is a crypto brand impersonation scam targeting OKX users. Detected by 1/95 VirusTotal vendors.

## Summary
PhishDestroy identifies galaxyfox-io-presalestokenclaim.pages.dev as an elevated-risk domain engaged in brand impersonation of OKX, a major cryptocurrency exchange. This site masquerades as a legitimate OKX pre-sale token claim portal to deceive users into connecting wallets or entering credentials, enabling fund theft via crypto drainer tactics. The infrastructure leverages Cloudflare-hosted pages with a Google Trust Services SSL certificate to appear legitimate. This domain was flagged by ScamSniffer and Enkrypt and currently resolves to IP 188.114.97.3. Security vendor detection via VirusTotal remains low at 1/95, highlighting the need for proactive community and tool-based blocking.


This impersonation scam combines multiple red flags: it impersonates OKX, a widely recognized brand, and uses a Cloudflare-registered *.pages.dev subdomain to host malicious content. The domain is blocked by two security blocklists (ScamSniffer, Enkrypt), reducing but not eliminating exposure risk. It operates on IP 188.114.97.3, a known Cloudflare node often abused in phishing campaigns. Despite a low VirusTotal detection ratio (1/95), this low ratio is common with newly active or niche-targeted scams, making user awareness critical. The SSL certificate from Google Trust Services adds a false veneer of authenticity, tricking users into believing the site is secure.


To mitigate exposure to this brand impersonation scam, users should avoid visiting galaxyfox-io-presalestokenclaim.pages.dev and immediately block the domain at the network level. Cryptocurrency users should always verify URLs via official OKX channels and avoid interacting with unsolicited pre-sale or token claim offers. Wallet extensions and browsers should be updated, and real-time threat feeds (e.g., ScamSniffer, Enkrypt) should be enabled for automatic blocking. Report this domain to security platforms and block the IP 188.114.97.3 if possible to reduce further propagation.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)
- Target brand: OKX

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 188.114.97.3

## Detection Status
- VirusTotal: 1 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 2 hits
  Lists: ["ScamSniffer", "Enkrypt"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/02c65988-6796-485b-891b-cb45f7741034
- PhishDestroy: https://phishdestroy.io/domain/galaxyfox-io-presalestokenclaim.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/galaxyfox-io-presalestokenclaim.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/galaxyfox-io-presalestokenclaim.pages.dev/
Last updated: 2026-03-26