# pages.dev — SUSPICIOUS

> pages.dev is a live credential theft domain with 2/95 VirusTotal detections targeting brand impersonation. Take action now to secure your accounts.

## Summary
PhishDestroy identifies an active credential theft campaign leveraging the domain pages.dev, registered through Cloudflare, Inc. This domain resolves to IP 104.18.21.135 and currently exhibits elevated risk due to its association with a live phishing infrastructure. The domain employs a Google Trust Services SSL certificate, which may mislead users into perceiving it as legitimate. Security vendors and blocklists have begun flagging this domain, though detection remains inconsistent, creating a window of opportunity for attackers to harvest credentials unnoticed. Users interacting with this domain risk exposing login credentials, payment details, or other sensitive data to an adversary-controlled server.

This domain was flagged by PhishDestroy after analysis confirmed its involvement in credential theft operations. VirusTotal reports detections by 2 out of 95 security vendors, while the domain appears on 1 active blocklist. The domain resolves to IP 104.18.21.135 and is registered under Cloudflare, Inc., a common choice for threat actors seeking to obfuscate their infrastructure. The presence of a Google Trust Services SSL certificate further enhances the domain’s perceived legitimacy, making it a more effective tool for social engineering attacks. The low blocklist coverage and limited vendor detection suggest this campaign is either newly active or employing evasion techniques to delay identification.

If you have visited pages.dev or entered any credentials, assume your data has been compromised. Immediately change passwords for accounts associated with this domain, enable multi-factor authentication where available, and scan your device for malware using reputable security software. Report the domain to your organization’s security team or to PhishDestroy to aid in broader threat mitigation efforts. Avoid re-engaging with this domain and warn others in your network to prevent further exposure. Monitor financial accounts for unauthorized activity and consider freezing credit if sensitive information was provided.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 104.18.21.135

## Detection Status
- VirusTotal: 2 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 1 hits
  Lists: ["CryptoFirewall"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/8d5e3761-fe23-4d7d-a70d-36d01670dff6
- PhishDestroy: https://phishdestroy.io/domain/pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/pages.dev/
Last updated: 2026-03-22