# pay.tetherenterprises.com — SUSPICIOUS

> pay.tetherenterprises.com is a live Tether brand phishing domain registered on 2025-07-21 that serves a crypto drainer kit.

## Summary
PhishDestroy identifies pay.tetherenterprises.com as an active, low-duration domain currently weaponized for fraud through a Tether Enterprises impersonation campaign. The page title “Online payment @ Tether Enterprises” and SSL certificate issued by GoDaddy confirm presentation-layer mimicry designed to harvest private keys and seed phrases. While VirusTotal currently shows 0/95 detections, behavioural indicators reveal real-time drainer behaviour aimed at emptying cryptocurrency wallets within seconds of seed entry.  Domain metadata align with high-risk fast-flux tactics: created on 2025-07-21, resolving to IPv4 100.49.0.246, registered via GoDaddy.com, LLC using a GoDaddy SSL. Google Safe Browsing (GSB) has not yet listed the domain, and public blocklists remain empty, indicating an emerging campaign still under the adversary’s control. The absence of detections on VT is attributed to the freshness of the domain and the use of runtime obfuscation inside the drainer kit rather than static payloads.  The domain remains active as of seed a0dea1 and is considered under investigation by multiple threat-intel teams. Users are advised to block 100.49.0.246 at the firewall and add pay.tetherenterprises.com to DNS sinkholes or ad-block lists. Remaining risk is HIGH until GSB or VT classifications catch up; recommendations include endpoint monitoring for clipboard-modifying malware and wallet-extension inspection for injected scripts.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)
- Page title: Online payment @ Tether Enterprises

## Domain Intelligence
- Registered: 2025-07-21 19:12:42
- Registrar: GoDaddy.com, LLC
- IP: 100.49.0.246

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/e7dc829e-b5b9-4473-ad96-4356a060c5c2
- PhishDestroy: https://phishdestroy.io/domain/pay.tetherenterprises.com/
- LLM endpoint: https://phishdestroy.io/domain/pay.tetherenterprises.com/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/pay.tetherenterprises.com/
Last updated: 2026-03-25