# phantom-blh.pages.dev — MALICIOUS — Crypto Drainer (Solana Drainer)

> Domain phantom-blh.pages.dev is a high-risk Solana crypto drainer impersonating Phantom wallet. Flagged by 0 of 95 VirusTotal vendors. Avoid immediately.

## Summary
The domain phantom-blh.pages.dev is a high-risk cryptocurrency drainer targeting Solana users, currently active and impersonating the Phantom wallet brand. This malicious site employs a Solana drainer kit designed to siphon cryptocurrency assets from unsuspecting victims. The threat is classified as a crypto drainer with a high risk level, indicating immediate danger to users' digital assets. According to recent intelligence, this domain was flagged by PhishDestroy (unique seed: e1b11c) and remains unflagged by VirusTotal vendors, making it a stealthy and emerging threat.  PhishDestroy identifies this domain as a critical security risk with multiple indicators of compromise. The domain resolves to IP address 188.114.96.3, registered through Cloudflare, Inc. Notably, 0 out of 95 VirusTotal vendors have flagged this domain, suggesting it has evaded automated detection systems. The SSL certificate is issued by Google Trust Services, which may lend an air of legitimacy, but this should not be considered a trust indicator given the context of cryptocurrency drainers. The malicious infrastructure is hosted on Cloudflare's pages.dev platform, further complicating detection due to Cloudflare's widespread and legitimate use. The domain's recent creation and lack of detection make it particularly hazardous to cryptocurrency users, especially those utilizing Phantom wallets.  This domain is a confirmed active threat with no current blocklist presence, as evidenced by the 0/95 VirusTotal detection rate. The combination of brand impersonation (Phantom wallet), a Solana-specific drainer kit, and Cloudflare hosting creates a highly effective attack vector. Users interacting with this domain risk immediate financial loss due to unauthorized cryptocurrency transactions. Concrete recommendations include avoiding all interactions with phantom-blh.pages.dev, verifying wallet URLs through official Phantom channels, and reporting suspicious domains to security platforms. Additionally, users should monitor their cryptocurrency wallets for unauthorized transactions and consider using hardware wallets or multi-signature setups for enhanced security. The absence of VirusTotal detections underscores the need for heightened vigilance and proactive threat intelligence sharing among cryptocurrency users and security researchers.

## Threat Details
- Verdict: MALICIOUS — Crypto Drainer (Solana Drainer)
- Site status: unknown (HTTP ?)
- Drainer type: Solana Drainer
- Target brand: Phantom

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 188.114.96.3

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/ed9ede9d-261b-466d-b012-fee6eaa3dc0d
- PhishDestroy: https://phishdestroy.io/domain/phantom-blh.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/phantom-blh.pages.dev/llm.txt

## If You Visited This Site
1. Revoke all token approvals immediately (revoke.cash / unrekt.net)
2. Move remaining funds to a new wallet
3. Do not interact with any transactions from this site
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/phantom-blh.pages.dev/
Last updated: 2026-03-30