# metaamskloggus.gitbook.io — MALICIOUS

> metaamskloggus.gitbook.io operates a crypto drainer impersonating MetaMask. VirusTotal flags 15/95 vendors. Avoid and report immediately.

## Summary
PhishDestroy identifies metaamskloggus.gitbook.io as an active crypto drainer campaign impersonating MetaMask. The domain leverages GitBook’s legitimate platform to host malicious scripts designed to siphon cryptocurrency from unsuspecting victims by mimicking MetaMask wallet interfaces. Threat actors commonly use such drainers to target users during high-profile NFT mints, airdrops, or wallet interactions. The payload is distributed via phishing links shared through social media, Discord, or phishing emails, where the domain’s resemblance to official MetaMask documentation or support pages lures victims into connecting their wallets and authorizing fraudulent transactions.


Technical indicators for this campaign are as follows: the domain resolves to IP 172.64.147.209 and was registered through Cloudflare, Inc. The SSL certificate is issued by Google Trust Services, likely to enhance legitimacy. The domain was created on March 30, 2014, indicating a potentially compromised or abandoned legitimate domain repurposed for malicious activity. VirusTotal reports a detection ratio of 15 out of 95 security vendors, while the domain is flagged by OpenPhish and appears on one additional security blocklist. Despite Google Safe Browsing (GSB) status being unconfirmed in available data, the presence of a Google-issued SSL certificate may temporarily delay detection.


This domain remains active as of the latest intelligence cycle. Immediate remediation steps include blocking the domain at the network and endpoint levels, updating firewall rules to deny traffic to 172.64.147.209, and disseminating threat intelligence to users within affected organizations. Users are strongly advised to verify URLs before interacting with wallet-related content, avoid clicking unsolicited links, and only use official MetaMask channels. The elevated risk stems from the domain’s plausible deniability due to its age and use of trusted services, allowing the threat to persist despite partial detection by security vendors. Continuous monitoring and proactive threat hunting are recommended to mitigate further exposure.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2014-03-30 06:09:09
- Registrar: Cloudflare, Inc
- IP: 172.64.147.209

## Detection Status
- VirusTotal: 15 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 1 hits
  Lists: ["OpenPhish"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/33eb551a-6c4e-4cbb-9027-184ac55b6dd2
- PhishDestroy: https://phishdestroy.io/domain/metaamskloggus.gitbook.io/
- LLM endpoint: https://phishdestroy.io/domain/metaamskloggus.gitbook.io/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/metaamskloggus.gitbook.io/
Last updated: 2026-04-12