# okx-web3-usdt-trc20-payfor-00000063.pages.dev — MALICIOUS

> okx-web3-usdt-trc20-payfor-00000063.pages.dev is a brand impersonation domain impersonating OKX, with 13/95 VirusTotal detections.

## Summary
PhishDestroy identifies the infrastructure behind okx-web3-usdt-trc20-payfor-00000063.pages.dev as a live brand impersonation operation targeting OKX users. The domain is designed to mimic OKX’s Web3 interface and promote a USDT-TRC20 payment scheme, indicating the likely deployment of a crypto-draining kit aimed at siphoning funds under the guise of a legitimate deposit address. No overt credential harvesting pages were detected in the telemetry, suggesting the attack vector is asset exfiltration via fraudulent on-chain payment prompts rather than login capture.  

This domain was flagged by 13 of 95 VirusTotal security vendors upon submission. It was registered through Cloudflare, Inc., resolves to IP 172.66.47.192, and leverages a Google Trust Services SSL certificate. The Google Safe Browsing (GSB) status is currently unlisted, but the infrastructure is already present in multiple threat intelligence feeds and blocklists due to prior crypto-drainage campaigns. Historical WHOIS data indicates the domain’s creation date aligns with the onset of the impersonation lures targeting OKX users seeking USDT-TRC20 deposit instructions.  

As of this investigation, the campaign is marked as active and expanding through URL redirection chains. Immediate takedown requests through Cloudflare’s abuse channels and GSB reconsideration requests are recommended. Organizations should block 172.66.47.192 at the firewall and monitor for inbound traffic to the domain, as remaining risk includes continued user compromise and fund loss. Users are advised to verify all deposit addresses against OKX’s official channels and avoid clicking unsolicited links in social media or messaging platforms.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)
- Target brand: OKX

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.47.192

## Detection Status
- VirusTotal: 13 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/43c3c623-7b9e-4981-94bc-e6bc1b13224d
- PhishDestroy: https://phishdestroy.io/domain/okx-web3-usdt-trc20-payfor-00000063.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/okx-web3-usdt-trc20-payfor-00000063.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/okx-web3-usdt-trc20-payfor-00000063.pages.dev/
Last updated: 2026-03-28