# kra11.vip — MALICIOUS > PhishDestroy identifies kra11.vip as a running fake-krypto-giveaway phishing site. 15 of 95 VirusTotal scanners already flag it. Check the full report. ## Summary PhishDestroy identifies kra11.vip as an active fake-cryptocurrency giveaway scam designed to trick victims into depositing crypto into attacker-controlled wallets. The page masquerades as a legitimate promotional site offering free tokens or coins, but all transactions ultimately route to wallets controlled by the threat actor, resulting in irreversible financial loss. Threat actors are leveraging urgency and social engineering—such as limited-time offers and celebrity endorsements—to drive traffic and maximize victim engagement. Technical analysis of kra11.vip reveals a rapidly deployed, low-effort fraud page hosted on 86.54.25.38, a server associated with previous scam campaigns, indicating reuse of infrastructure to reduce operational cost. The domain was registered on November 20, 2025, through NICENIC INTERNATIONAL GROUP CO., LIMITED, a registrar known for lax enforcement of fraudulent registrations and frequent abuse. VirusTotal currently reports 15 out of 95 security vendors flagging this domain, placing it in the elevated-risk category and signaling early-stage but growing detection across the threat intelligence community. This domain poses a high financial risk due to its targeted deception and cryptocurrency focus. The threat actor impersonates a legitimate giveaway to exploit victims’ trust in blockchain promotions. Unlike generic phishing lures, this campaign specifically targets crypto investors by mimicking official branding, countdown timers, and fake transaction confirmations to appear authentic. The domain resolves to IP 86.54.25.38, which has been previously linked to multiple known scam campaigns, reinforcing the likelihood of coordinated fraudulent activity. Domain registration occurred only days ago, suggesting a fresh, opportunistic deployment designed for short-term exploitation before takedown. The low barrier to entry—combined with high perceived reward—makes this campaign attractive to both novice and sophisticated threat actors. The 15/95 VirusTotal detection rate indicates partial visibility across security tools, with many engines still developing signatures or heuristics for this specific campaign variant. Users who visited kra11.vip should immediately cease any cryptocurrency transactions linked to the site and check all connected wallets for unauthorized transfers. Disconnect devices from the internet to prevent potential follow-on malware or credential harvesting. Report the domain to your local cybercrime unit, financial institution, and cryptocurrency exchange if funds were sent. Enable multi-factor authentication on all financial accounts and monitor for unsolicited wallet connection requests. If you entered credentials or payment details, revoke API access, rotate passwords, and report the incident to relevant authorities. Consider using network-level ad-blockers or DNS filtering services to block known malicious domains like kra11.vip in the future. Proactive threat intelligence sharing can help prevent others from falling victim to similar scams. ## Threat Details - Verdict: MALICIOUS - Site status: unknown (HTTP ?) - Page title: kra11.vip ## Domain Intelligence - Registered: 2025-11-20 00:00:12 - Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED - IP: 86.54.25.38 ## Detection Status - VirusTotal: 15 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/5d495e9c-d0ab-491c-814d-ceab3439866b - PhishDestroy: https://phishdestroy.io/domain/kra11.vip/ - LLM endpoint: https://phishdestroy.io/domain/kra11.vip/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/kra11.vip/ Last updated: 2026-03-28