# krab1-at-onion.ru — SUSPICIOUS

> PhishDestroy flags krab1-at-onion.ru as a credential-harvesting site. Detected 0/95 on VirusTotal. Check the full report.

## Summary
PhishDestroy identifies krab1-at-onion.ru as an active credential-harvesting domain designed to trick users into surrendering sensitive login credentials. This onion-themed domain mimics legitimate login portals, luring victims with deceptive branding and social-engineering prompts to extract usernames, passwords, and multi-factor authentication tokens. The infrastructure behind the site has been provisioned rapidly, with the domain registered through RU-CENTER-RU on December 19, 2025, and resolved to IP 172.67.160.28 using a Google Trust Services SSL certificate—indicators commonly abused in low-overhead phishing campaigns targeting global users.  This domain remains largely undetected, with zero detections out of 95 engines on VirusTotal at the time of analysis. Its recent creation date and clean reputation suggest opportunistic deployment, likely in response to current events or seasonal spikes in user activity. The combination of a freshly registered domain, low detection coverage, and trusted certificate infrastructure elevates the risk profile, positioning this domain as a high-probability threat vector for credential theft and follow-on attacks such as account takeover and session hijacking.  Users who have visited krab1-at-onion.ru are advised to immediately change passwords for any accounts exposed during the visit, enable multi-factor authentication where possible, and scan devices for malware or unauthorized access. Report suspicious activity to your security team and avoid interacting with the domain further. Organizations are urged to block the domain at the network perimeter and monitor for inbound or outbound connections to 172.67.160.28, while updating threat intelligence feeds with the domain and associated IP to prevent future exposure.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2025-12-19 10:37:21
- Registrar: RU-CENTER-RU
- IP: 172.67.160.28

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/246c10db-f0bb-4303-a3b9-5200554964bc
- PhishDestroy: https://phishdestroy.io/domain/krab1-at-onion.ru/
- LLM endpoint: https://phishdestroy.io/domain/krab1-at-onion.ru/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/krab1-at-onion.ru/
Last updated: 2026-03-28