# pub-12823fbd443740db82cdf220f279156a.r2.dev — MALICIOUS > pub-12823fbd443740db82cdf220f279156a.r2.dev is a credential-harvesting phishing site hosted on Cloudflare R2, flagged by 16/95 VirusTotal engines. ## Summary This domain operates as a credential-harvesting phishing portal designed to trick users into submitting sensitive login details. The site mimics legitimate login pages to capture usernames, passwords, or financial information, which are then harvested by attackers for identity theft or account takeover. Security researchers have confirmed that this domain resolves to IP 104.18.54.45 and is actively distributing malicious content aimed at unsuspecting visitors. PhishDestroy identifies this site as a confirmed phishing threat based on multiple intelligence sources. The domain is flagged by 16 out of 95 VirusTotal security vendors and appears on three recognized phishing blocklists, including OpenPhish and PhishingArmy. It utilizes a Let's Encrypt SSL certificate to appear legitimate and has been active long enough to accumulate a significant blacklist footprint. This domain is part of a broader campaign leveraging Cloudflare's infrastructure to evade detection and host malicious landing pages. If you visited this domain, do not enter any personal or financial information. Immediately check your accounts for unauthorized activity, especially those tied to email or banking credentials. Run a malware scan on your device using trusted antivirus software and consider enabling two-factor authentication on critical accounts. Report the incident to your organization's security team or to the platform being impersonated (e.g., email provider, bank). Avoid clicking any links from unsolicited emails or messages that may have led you here. Stay alert for follow-up phishing attempts, as attackers often reuse compromised credentials across multiple services. ## Threat Details - Verdict: MALICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: REGISTRAR_NOT_FOUND - IP: 104.18.54.45 ## Detection Status - VirusTotal: 16 vendors flagged - Google Safe Browsing: clean - Blocklists: 3 hits Lists: ["OpenPhish", "PhishingArmy", "OISD"] ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/a202a0a6-b29b-4d24-b5c8-7f10c10f1fd8 - PhishDestroy: https://phishdestroy.io/domain/pub-12823fbd443740db82cdf220f279156a.r2.dev/ - LLM endpoint: https://phishdestroy.io/domain/pub-12823fbd443740db82cdf220f279156a.r2.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/pub-12823fbd443740db82cdf220f279156a.r2.dev/ Last updated: 2026-03-27