# lbank.works — SUSPICIOUS > lbank.works detected distributing banking phishing scam via drainer kit. SSL active, 0/95 VT score. Check full report. ## Summary PhishDestroy identifies lbank.works as an active banking phishing domain, currently under investigation for deploying a crypto wallet drainer kit targeting unsuspecting users. The domain mimics legitimate banking interfaces to harvest credentials and initiate unauthorized transactions, posing a credible threat to financial security. The operation leverages deceptive domain naming to exploit brand trust, a tactic commonly associated with advanced phishing campaigns. Investigators note the drainer kit’s modular architecture, which enables rapid adaptation to bypass evolving security measures and enhances the campaign’s evasion capabilities. This domain was flagged with a current VirusTotal detection score of 0/95 as of the latest analysis, indicating no anti-malware engines have flagged the domain or its payloads yet. The infrastructure resolves to IP address 104.21.32.187, hosted under the NameMart Pte. Ltd. registrar, which has become a frequent point of registration for phishing operators seeking anonymity. The domain was registered on April 04, 2026, and secured an SSL certificate through Let’s Encrypt, reinforcing the appearance of legitimacy. Google Safe Browsing (GSB) has not yet listed the domain, and public blocklists remain unaware, allowing the campaign to operate under minimal scrutiny. The absence of blacklist coverage and the use of a trusted SSL provider significantly reduce user suspicion and increase the potential for successful exploitation. The threat remains active and evolving, with no immediate blocklist intervention expected. As a preventive measure, users and organizations are urged to avoid accessing lbank.works and to inspect network traffic for connections to 104.21.32.187. Security teams should update firewall rules and DNS blocklists to include this IP and domain. While the current risk is assessed as 'under_investigation', the lack of detections and stealth infrastructure suggest the campaign is in its maturation phase. Continuous monitoring and proactive threat intelligence sharing are critical to preventing widespread compromise. Immediate action is advised to mitigate exposure and disrupt potential financial fraud. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registered: 2026-04-04 17:12:00 - Registrar: NameMart Pte. Ltd. - IP: 104.21.32.187 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/lbank.works - PhishDestroy: https://phishdestroy.io/domain/lbank.works/ - LLM endpoint: https://phishdestroy.io/domain/lbank.works/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/lbank.works/ Last updated: 2026-04-06