# microbull.org — SUSPICIOUS > microbull.org impersonates MicroStrategy to deploy a crypto drainer kit. Do NOT connect wallets. Verify on PhishDestroy. ## Summary PhishDestroy identifies microbull.org as an active crypto-draining phishing site registered on December 8 2025. The domain uses fake branding that closely mimics MicroStrategy’s identity to trick cryptocurrency holders into connecting wallets and authorizing malicious token transfers. Security telemetry confirms the page contains a drainer kit that silently siphons tokens once a wallet is connected. The campaign is designed for rapid fund exfiltration and is currently intercepting live traffic aimed at legitimate MicroStrategy resources. Technical indicators include zero VirusTotal detections (0/95 engines), Google-transparently issued SSL via Google Trust Services, Gname.com Pte. Ltd. registrar, and a hosting IP 172.67.193.118. The domain was created on 2025-12-08, 3 days ago, indicating a very recent launch intended to capitalize on brand confusion. Google Safe Browsing has not yet blacklisted the domain, and public blocklists have not flagged it, leaving a clean threat surface for unsuspecting visitors. All traffic is presently live and no sinkholing or take-down has been observed. The domain remains active with an elevated risk level due to its unmitigated presence and drainer payload. Users visiting microbull.org are exposed to immediate wallet compromise if they authorize any transaction. PhishDestroy recommends immediate network and host blocking of the domain and IP, alongside wallet disconnection and fund reassessment. Remaining risk is high until the domain is added to global threat feeds and Safe Browsing lists; continued monitoring is advised as the campaign is likely to persist and expand. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) - Page title: MicroBull ## Domain Intelligence - Registered: 2025-12-08 05:51:38 - Registrar: Gname.com Pte. Ltd. - IP: 172.67.193.118 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/microbull.org - PhishDestroy: https://phishdestroy.io/domain/microbull.org/ - LLM endpoint: https://phishdestroy.io/domain/microbull.org/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/microbull.org/ Last updated: 2026-04-05