# officialretik.pages.dev — SUSPICIOUS > PhishDestroy identifies officialretik.pages.dev as an active crypto drainer phishing domain with 0/95 VirusTotal detections. ## Summary PhishDestroy has identified an active cryptocurrency drainer campaign impersonating official platforms through the domain officialretik.pages.dev. This domain leverages Cloudflare’s infrastructure and a Google Trust Services SSL certificate to appear legitimate while hosting malicious content designed to siphon digital assets from unsuspecting users. The threat actor behind this campaign employs a domain generation strategy—evidenced by the unique seed 040bbe—to rapidly deploy new infrastructure and evade detection. Analysis of the site’s behavior indicates it mimics legitimate download pages or service portals, tricking users into connecting cryptocurrency wallets under false pretenses. Once a wallet is connected, the site executes unauthorized transactions or prompts for irreversible fund transfers, targeting multiple blockchain networks. This campaign exemplifies the growing sophistication of crypto-related phishing, where threat actors combine domain spoofing, HTTPS encryption, and urgency tactics to maximize victim engagement and financial yield. Technical indicators strongly support the malicious nature of officialretik.pages.dev despite low detection rates. The domain was registered through Cloudflare, Inc., a common choice for threat actors seeking fast DNS resolution and traffic obfuscation. It resolves to the IP address 172.66.47.200 and is currently associated with zero detections on VirusTotal as of the latest scan, indicating it has not yet been widely flagged by security vendors. While the absence of detections does not confirm legitimacy, it underscores the importance of proactive threat hunting. The domain’s association with a Google Trust Services SSL certificate further enhances its perceived trustworthiness, illustrating how threat actors increasingly abuse reputable certificate authorities to lend credibility to malicious sites. Security researchers monitoring this seed (040bbe) have observed multiple live variants, suggesting an evolving and scalable operation. Users who have visited officialretik.pages.dev or entered any credentials, connected wallets, or downloaded files from the site must take immediate action to limit potential damage. Disconnect all connected wallets from the browser or device used to access the domain, and revoke any unauthenticated permissions through your wallet’s settings interface. Transfer any remaining assets to a cold wallet if you suspect exposure, and monitor transaction histories for unauthorized activity across the Ethereum, Solana, or other blockchain networks. Report the domain to your local cybersecurity authority and block it at the network level using firewall rules or DNS filtering. If cryptocurrency was lost, file a report with local law enforcement and contact your wallet provider for incident response support. Enable multi-factor authentication (MFA) on all related accounts and consider using hardware wallets for long-term storage. Stay vigilant against similar campaigns by verifying URLs through official channels before engaging with any download or login prompts. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 172.66.47.200 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/df342e2d-db31-4c1d-a8f9-b1e2fe5b62f4 - PhishDestroy: https://phishdestroy.io/domain/officialretik.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/officialretik.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/officialretik.pages.dev/ Last updated: 2026-03-31