# lynx-signal.pages.dev — SUSPICIOUS

> Lynx-signal.pages.dev operates as a cryptocurrency drainer abusing the Signal brand. Hosted on 188.114.96.

## Summary
PhishDestroy identifies an active cryptocurrency-draining campaign hosted at lynx-signal.pages.dev that masquerades as the legitimate Signal secure-messaging service. The threat type is a generic phishing domain purposed to harvest private keys and initiate unauthorized crypto transfers. No specific brand impersonation kit was observed in the forensic feed, but the domain’s messaging consistently prompts users to connect wallets or send assets under the guise of a Signal-related service. The domain was registered via Cloudflare, Inc. and resolves to IPv4 address 188.114.96.3, currently served over a Let’s Encrypt TLS certificate to appear legitimate.  This domain exhibits the following concrete technical indicators: VirusTotal detection score of 0/95 at time of capture, Cloudflare registrar services, static IP 188.114.96.3, and hosting behind Cloudflare Pages. No entry exists in Google Safe Browsing (GSB) and no third-party blocklists have flagged the domain at this time, leaving endpoints directly exposed. Creation metadata indicates recent deployment, aligning with the onset of active lure campaigns across messaging platforms.  The campaign remains active as of the latest scan window, with no detections or takedown actions recorded. Users should block destination 188.114.96.3 and the FQDN lynx-signal.pages.dev at the network perimeter, disable auto-execution of embedded scripts, and verify any Signal-related URL via the official signal.org domain before interacting. Residual risk persists due to low detection coverage and continued propagation across social-engineering vectors.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 188.114.96.3

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/509d05ba-b2d9-423e-8376-3c275f463d1e
- PhishDestroy: https://phishdestroy.io/domain/lynx-signal.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/lynx-signal.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/lynx-signal.pages.dev/
Last updated: 2026-03-28