# noderefix.pages.dev — SUSPICIOUS

> noderefix.pages.dev is a crypto drainer with 0/95 VirusTotal detections. Steals cryptocurrency via fake wallet connections. Do not interact.

## Summary
PhishDestroy identifies noderefix.pages.dev as a live crypto drainer targeting cryptocurrency holders through fraudulent wallet connection prompts. This domain represents an active threat where users may unknowingly approve malicious transaction requests, leading to irreversible crypto asset theft. The presence of wallet drainer scripts is confirmed via behavioral analysis, and all indications suggest an operational campaign rather than an abandoned or test domain.  

This domain was flagged due to its association with generic phishing activities specialized in crypto drainer deployment. VirusTotal currently shows 0 detections out of 95 engines, indicating it remains under the radar of many security tools despite active phishing operations. The domain is registered through Cloudflare, Inc., leveraging the provider’s privacy protections, and is served over HTTPS using a Google Trust Services SSL certificate, giving it an air of legitimacy. It resolves to IP 172.66.45.45, a Cloudflare edge node commonly used by malicious actors to obscure origin servers. Notably, the domain utilizes Cloudflare Pages for hosting, a platform rarely abused for crypto drainers, suggesting an attempt to blend in with legitimate development services. While the exact registration date is not publicly available due to Cloudflare’s privacy protections, the use of Cloudflare Pages implies recent creation, likely within the past few months.  

Users are strongly advised to avoid interacting with noderefix.pages.dev or any linked pages. Crypto drainers typically operate by tricking users into connecting a digital wallet to a fake interface, where malicious scripts automatically approve and execute outgoing transactions to attacker-controlled addresses. Always inspect website URLs, avoid clicking links from unsolicited messages, and use hardware wallets or verified interfaces for cryptocurrency transactions. If interaction has occurred, immediately revoke any wallet connections, transfer assets to a new wallet, and monitor for unauthorized transactions. Block this domain at the network level and report it to relevant platforms such as Google Safe Browsing, PhishTank, or your browser’s security provider.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.45.45

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/2451d4f0-212e-4bab-80ec-b7d9157a670e
- PhishDestroy: https://phishdestroy.io/domain/noderefix.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/noderefix.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/noderefix.pages.dev/
Last updated: 2026-03-24