# polymarket.0auth.select — SUSPICIOUS

> Analyzing active crypto drainer impersonating Polymarket via the domain polymarket.0auth.select. Zero detections on VirusTotal as of seed 8e0a7c.

## Summary
PhishDestroy identifies the domain polymarket.0auth.select as an active crypto drainer campaign impersonating the Polymarket brand. The threat uses a deceptive subdomain structure to mimic official authentication pages and harvest wallet credentials or initiate unauthorized transfers.

This domain was flagged by 0 of 95 VirusTotal vendors, registered through Cloudflare, Inc. on March 30, 2026, resolving to IP 172.67.196.16. No current blocklist detections are present, and the SSL certificate is issued by Let's Encrypt, indicating recent operational deployment.

The campaign remains active and under investigation. Users must avoid visiting polymarket.0auth.select, verify all URLs against official Polymarket domains, and report wallet interactions to security teams. Block the IP 172.67.196.16 and domain at network gateways. Conduct enhanced monitoring for drainer signatures on-chain and in endpoint logs.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2026-03-30 05:48:01
- Registrar: Cloudflare, Inc.
- IP: 172.67.196.16

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/e0bad059-2184-4298-8d36-fc16a8ad6e6e
- PhishDestroy: https://phishdestroy.io/domain/polymarket.0auth.select/
- LLM endpoint: https://phishdestroy.io/domain/polymarket.0auth.select/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/polymarket.0auth.select/
Last updated: 2026-03-30