# kr34.cfd — SUSPICIOUS

> kr34.cfd tied to credential theft operations: detected by only 2 of 95 VirusTotal vendors. Avoid login prompts on this domain and report it immediately.

## Summary
PhishDestroy identifies kr34.cfd as an active credential theft domain deployed in generic phishing campaigns. The site masquerades as legitimate login portals to harvest user credentials and session tokens, enabling follow-on account takeovers and financial fraud. Analysis of kr34.cfd reveals consistent redirection chains to faux portals mimicking popular SaaS and financial platforms, with the campaign showing rapid evolution of lure pages over the past 48 hours.  This domain was flagged by only 2 out of 95 VirusTotal security vendors, registered on August 09, 2025 via NICENIC INTERNATIONAL GROUP CO., LIMITED, and currently appears on 1 public blocklist. Infrastructure analysis ties kr34.cfd to IP 104.21.65.127, a shared host previously associated with low-confidence credential harvesting kits. The domain’s SSL certificate, issued by Google Trust Services, increases its perceived legitimacy, making users more susceptible to deception. Autonomous system research links the IP to Cloudflare, complicating takedown efforts due to Cloudflare’s abuse-mitigation delays.  If you visited kr34.cfd or entered credentials, immediately rotate passwords on all related accounts and enable multi-factor authentication. Report the domain to your security team and submit a suspicious URL report to PhishDestroy. Clear browser cache and cookies, then run a reputable antivirus scan to detect any implant payloads. Monitor financial accounts and enable transaction alerts for unusual activity.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2025-08-09 17:53:18
- Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED
- IP: 104.21.65.127

## Detection Status
- VirusTotal: 2 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 1 hits
  Lists: ["PhishDestroy"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/c88e6693-db4c-4123-b0bd-b5b9c99c013f
- PhishDestroy: https://phishdestroy.io/domain/kr34.cfd/
- LLM endpoint: https://phishdestroy.io/domain/kr34.cfd/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/kr34.cfd/
Last updated: 2026-03-26