# kpa33.cc — MALICIOUS

> kpa33.cc is a live credential theft domain with 5/95 VirusTotal detections. This active campaign impersonates trusted brands to harvest login data.

## Summary
PhishDestroy identifies kpa33.cc as an active credential theft domain weaponized in a live phishing campaign (seed 5cbae1). The domain resolves to 104.21.19.213 and operates under a Google Trust Services SSL certificate, which attackers use to lend false legitimacy to spoofed login pages. Analysis confirms the infrastructure is configured to harvest user credentials under the guise of a legitimate service, exposing victims to immediate account takeovers and financial loss.  This domain was flagged by 5 out of 95 VirusTotal security vendors at time of detection. It was registered on January 23, 2025 through NICENIC INTERNATIONAL GROUP CO., LIMITED, a registrar frequently abused in low-cost bulk domain registrations. The short domain age and clean SSL status are consistent with fast-flux phishing operations designed to evade detection. The low detection ratio highlights the challenge of identifying new, low-signal credential theft domains in real time.  Users who visited kpa33.cc should immediately check browser history and disable any saved credentials on the site. Change passwords for accounts entered on this domain across all online services, especially email and financial platforms. Enable multi-factor authentication on all critical accounts. Report the domain to your security team or via abuse channels, and consider blocking 104.21.19.213 at the network perimeter. Monitor accounts for unusual activity for at least 30 days following exposure.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2025-01-23 20:38:25
- Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED
- IP: 104.21.19.213

## Detection Status
- VirusTotal: 5 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/fe9531c2-0b4d-4e5d-af79-ad2c8ae47c63
- PhishDestroy: https://phishdestroy.io/domain/kpa33.cc/
- LLM endpoint: https://phishdestroy.io/domain/kpa33.cc/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/kpa33.cc/
Last updated: 2026-03-26