# krnmp-to.pages.dev — SUSPICIOUS

> Learn if krnmp-to.pages.dev is safe. It's a crypto drainer phishing site flagged by 1/95 VirusTotal vendors. Investigate now before visiting.

## Summary
PhishDestroy identifies krnmp-to.pages.dev as an active crypto drainer phishing domain posing elevated risk to cryptocurrency users. This Pages.dev subdomain is designed to trick visitors into connecting crypto wallets or revealing seed phrases under false pretenses, specifically targeting digital asset holders. The domain leverages the Pages.dev platform—owned by Cloudflare—to host malicious content while appearing as a legitimate service, exploiting trust in familiar domain structures.


Technical analysis confirms krnmp-to.pages.dev was registered through Cloudflare, Inc., resolving to IP 172.66.46.223 via a Google Trust Services SSL certificate. VirusTotal scanning reveals only 1 out of 95 security vendors currently detect malicious activity, highlighting its stealth and evasion capabilities. The low detection rate suggests this threat may be newly deployed or employs advanced obfuscation to bypass traditional scanning tools. The domain operates as a crypto drainer, a specialized phishing variant that automates fund extraction from connected wallets upon user interaction.


Users who visited krnmp-to.pages.dev should immediately disconnect any connected crypto wallets, revoke any wallet permissions granted to the site, and transfer remaining assets to a clean wallet. Do not interact with wallet connection prompts or enter seed phrases on this domain. Clear browser cache and cookies, then scan your device with updated antivirus software. Report the domain to your wallet provider and relevant cybercrime units. Avoid re-accessing the domain to prevent potential malicious payload delivery.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.46.223

## Detection Status
- VirusTotal: 1 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/e61c4d2d-5d58-41ba-b75a-1ebd7f35d460
- PhishDestroy: https://phishdestroy.io/domain/krnmp-to.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/krnmp-to.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/krnmp-to.pages.dev/
Last updated: 2026-03-28