# linkexp.pages.dev — SUSPICIOUS

> linkexp.pages.dev is a recently identified crypto drainer scam hosting phishing pages to steal digital assets.

## Summary
PhishDestroy identifies linkexp.pages.dev as a freshly observed crypto drainer scam under active telemetry review, leveraging Cloudflare Pages for rapid deployment and obfuscation. The domain, registered through Cloudflare, Inc., appears designed to mimic legitimate services to trick users into connecting crypto wallets for fraudulent transactions. No specific brand impersonation has been confirmed at this stage, though generic lure pages targeting cryptocurrency users are suspected based on infrastructure alignment with known drainer kits such as Seedphraser and AngelDrainer. The domain was flagged via heuristic analysis targeting suspicious PageDev and Pages.dev deployments commonly abused in cryptocurrency scams.  

Technical indicators confirm low detection but high operational risk. VirusTotal currently reports 0 detections out of 95 engines as of the latest scan. The domain resolves to IP 172.66.46.244, which is associated with Cloudflare’s CDN infrastructure. The SSL certificate is issued by Google Trust Services (GTS), a common tactic to establish false legitimacy. Registration occurred recently via Cloudflare, Inc., though the exact creation date remains unconfirmed in public WHOIS due to Cloudflare’s privacy protection. Google Safe Browsing (GSB) status is unflagged at this time, and no persistent blocklist entries exist in major threat intelligence feeds. The absence of detections suggests either evasion tactics or a very recent campaign launch.  

Current status remains under active investigation with low confidence attribution pending deeper behavioral analysis. No takedown action has been initiated as of this report, maintaining the domain’s active status. Immediate defensive actions include blocking the domain at network and endpoint levels using DNS sinkholing or web filtering rules targeting linkexp.pages.dev and its resolving IP 172.66.46.244. Users are advised to avoid any interaction with this domain, particularly when prompted to connect cryptocurrency wallets or enter seed phrases. The remaining risk is assessed as moderate due to unconfirmed detection coverage and the domain’s rapid deployment nature. Continued monitoring is recommended as additional telemetry may reveal broader campaign scope or associated infrastructure.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.46.244

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/1e42871d-aa21-4628-a102-977a449a0510
- PhishDestroy: https://phishdestroy.io/domain/linkexp.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/linkexp.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/linkexp.pages.dev/
Last updated: 2026-03-30