# pad-user.chaingpt.workers.dev — SUSPICIOUS > PhishDestroy identifies pad-user.chaingpt.workers.dev as a credential-stealing phishing site mimicking ChainGPT with 0/95 VirusTotal detections. ## Summary PhishDestroy identifies pad-user.chaingpt.workers.dev as an active credential-stealing phishing domain designed to trick users into surrendering their crypto wallet login details. The site masquerades as a legitimate ChainGPT service, luring victims with an authentic-looking workers.dev subdomain that leverages Cloudflare’s infrastructure to appear trustworthy. This is not a random phishing attempt—it targets users specifically interested in blockchain and AI tools, using HTTPS encryption (Google Trust Services certificate) to bypass browser warnings. The domain resolves to IP 104.21.68.87, a Cloudflare endpoint commonly abused in short-lived credential harvesting campaigns. This domain was flagged by PhishDestroy with threat type 'generic_phishing' and risk level 'under_investigation'. It shows 0 detections out of 95 VirusTotal scans as of the latest assessment, indicating it evades most automated detection systems. The domain is registered through Cloudflare, Inc., a common choice for attackers due to its privacy protections and rapid deployment capabilities. While the SSL certificate is issued by Google Trust Services and appears valid, this does not guarantee the site’s legitimacy—it only means the connection is encrypted, not that the site is safe. The workers.dev subdomain suggests it was likely created recently, possibly within days or weeks, to capitalize on trending AI and crypto services like ChainGPT. If you visited pad-user.chaingpt.workers.dev, do NOT enter any login credentials, wallet addresses, private keys, or personal information. Immediately disconnect from the site and clear your browser cache. Scan your device with reputable antivirus software such as Malwarebytes or Windows Defender, and consider changing passwords for any accounts you may have accessed from the same browser session. Monitor your crypto wallets and financial accounts for unauthorized transactions. Report the domain to your antivirus provider and to PhishDestroy’s abuse channel if available. Avoid accessing this site in the future—it is under active investigation and poses a high risk of credential theft and financial loss. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 104.21.68.87 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/pad-user.chaingpt.workers.dev - PhishDestroy: https://phishdestroy.io/domain/pad-user.chaingpt.workers.dev/ - LLM endpoint: https://phishdestroy.io/domain/pad-user.chaingpt.workers.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/pad-user.chaingpt.workers.dev/ Last updated: 2026-04-09