# noderoots.xyz — SUSPICIOUS > noderoots.xyz is a newly flagged crypto wallet drainer (0/95 VT) mimicking legitimate platforms. Created Jan 26, 2026, it hosts malicious scripts to steal. ## Summary PhishDestroy identifies noderoots.xyz as an active crypto wallet drainer domain under investigation for generic phishing activities. This domain impersonates legitimate cryptocurrency wallet services, likely targeting users with deceptive login pages or transaction prompts designed to siphon digital assets. The threat actor employs a drainer kit—a malicious script framework tailored to exploit wallet interactions, exfiltrating private keys or directly draining connected crypto funds. Given the domain's recent creation (January 26, 2026) and the lack of historical trust, users are strongly advised to avoid any form of interaction, including page visits or wallet connections. This domain exhibits several technical red flags confirmed by forensic analysis. VirusTotal currently reports 0 detections out of 95 engines (0/95), indicating evasion of mainstream antivirus and security platforms. Hosted on IP 104.21.84.117 and relying on a Let's Encrypt SSL certificate, noderoots.xyz leverages reputable infrastructure to appear legitimate. The domain was registered via NICENIC INTERNATIONAL GROUP CO., LIMITED, a registrar not inherently malicious but commonly associated with bulk or privacy-focused registration practices. While Google Safe Browsing (GSB) status remains unconfirmed in public data, the domain has not yet appeared on major blocklists, suggesting a newly deployed campaign with limited exposure to automated detection engines. The combination of a fresh domain, high-risk infrastructure, and absence of detections signals an emerging threat with high potential for success. Currently, noderoots.xyz remains active and unblocked across most networks and security tools. Immediate containment actions include flagging the domain in organizational DNS/endpoint filters and updating browser/blocklist databases with the IP and domain entries. Users who have recently visited the site are urged to revoke any connected wallet permissions, transfer funds to cold storage, and scan devices for malware. The remaining risk is elevated due to the domain's novelty and evasion tactics, with potential for rapid escalation should the campaign gain traction. PhishDestroy recommends treating this domain as HIGH RISK until further intelligence emerges, prioritizing proactive blocking and user awareness campaigns to mitigate exposure. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registered: 2026-01-26 08:26:22 - Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED - IP: 104.21.84.117 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/e4ba3c83-7b46-49b6-b921-cabcda4f5e73 - PhishDestroy: https://phishdestroy.io/domain/noderoots.xyz/ - LLM endpoint: https://phishdestroy.io/domain/noderoots.xyz/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/noderoots.xyz/ Last updated: 2026-03-27