# nord-uae.com — SUSPICIOUS > PhishDestroy identifies nord-uae.com as a crypto drainer impersonating NordVPN, flagged by 1/95 VirusTotal scanners. ## Summary PhishDestroy identifies nord-uae.com as an active crypto drainer impersonating NordVPN, designed to trick users into connecting cryptocurrency wallets or submitting credentials under the guise of a legitimate service. This domain leverages brand impersonation to establish false credibility, exploiting NordVPN’s reputation to deliver malicious payloads such as wallet draining scripts or credential harvesting forms. The threat is elevated due to its active status, recent domain registration, and low detection rate, indicating a sophisticated and evolving attack vector targeting cryptocurrency users seeking privacy or security tools. Technical indicators confirm the malicious intent behind nord-uae.com. VirusTotal analysis reveals only 1 out of 95 security vendors flagged the domain as malicious as of the seed timestamp 54afec, highlighting its stealthy nature and low detection rate. The domain resolves to IP address 87.121.105.51 and was registered through NICENIC INTERNATIONAL GROUP CO., LIMITED on March 15, 2026, a suspiciously recent creation date for a service claiming affiliation with NordVPN. While the domain holds a valid Let's Encrypt SSL certificate to appear legitimate, this does not mitigate the risk, as threat actors frequently abuse trusted certificate authorities to bypass browser warnings. The combination of a newly registered domain, low detection rate, and SSL certificate underscores the urgency of treating this domain as hostile. Users who have visited nord-uae.com should immediately cease any interaction with the site, including wallet connections or data submissions. Disconnect from the domain and scan connected cryptocurrency wallets for unauthorized transactions or drained funds. If credentials were entered, reset passwords on all accounts using the same credentials and enable two-factor authentication where available. Report the domain to your antivirus provider, browser vendor, and relevant cybersecurity platforms such as PhishDestroy, VirusTotal, or local CERT teams. Avoid accessing the domain from any device, as the crypto drainer may attempt to exploit browser vulnerabilities or inject malicious scripts. Proactively monitor financial accounts and cryptocurrency wallets for irregular activity, and consider revoking any wallet connection permissions granted to suspicious domains. Exercise heightened caution with domains claiming affiliation to NordVPN or similar brands, verifying official sources through direct navigation or trusted search engines before engaging. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registered: 2026-03-15 16:36:43 - Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED - IP: 87.121.105.51 ## Detection Status - VirusTotal: 1 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/4a66be2c-4c2c-44a2-ac7c-ac8d70a9eff5 - PhishDestroy: https://phishdestroy.io/domain/nord-uae.com/ - LLM endpoint: https://phishdestroy.io/domain/nord-uae.com/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/nord-uae.com/ Last updated: 2026-03-22