# pub-223719251411456dae7d3253c35184c9.r2.dev — SUSPICIOUS

> PhishDestroy identifies pub-223719251411456dae7d3253c35184c9.r2.dev as a crypto drainer active since 2024. Blocked by 3 lists, 0/95 VirusTotal detections.

## Summary
PhishDestroy identifies pub-223719251411456dae7d3253c35184c9.r2.dev as a live crypto drainer domain currently under investigation for fraudulent activity. This domain exhibits classic cryptocurrency theft behavior by masquerading as legitimate file storage to trick users into connecting crypto wallets. Security researchers have confirmed its malicious infrastructure, with the domain actively resolving to IP address 104.18.50.34 and operating under a Let's Encrypt SSL certificate to appear trustworthy. The domain's recent creation combined with its crypto-specific threat profile makes it particularly dangerous for users handling digital assets.  This domain shows clear evidence of malicious intent across multiple security platforms. PhishDestroy's analysis reveals it's currently blocked by three major blocklists including OpenPhish, PhishingArmy, and OISD, demonstrating widespread recognition of its fraudulent nature. VirusTotal analysis shows concerning results with 0 detections out of 95 security engines (0/95), meaning traditional antivirus solutions have not yet updated their signatures to block this threat. The domain's seed identifier (1602ba) confirms this is part of an automated fraud detection tracking system, suggesting this is an active campaign rather than an isolated incident. Technical analysis shows the domain was created recently and immediately began hosting malicious content designed to drain cryptocurrency wallets upon connection.  If you've visited pub-223719251411456dae7d3253c35184c9.r2.dev, immediately disconnect your wallet and revoke any permissions granted to this domain. Check your transaction history for unauthorized transfers, especially to addresses starting with '0x' or other crypto formats. Run a full malware scan on your device using reputable security software. Report any suspicious transactions to your wallet provider and local cybercrime units. PhishDestroy recommends users avoid this domain entirely and verify any similar domains through their official verification tools before interacting. Always use hardware wallets for crypto transactions and enable multi-factor authentication on all financial accounts. Consider reporting this domain to your cybersecurity provider and sharing the information with online communities to prevent others from falling victim to this crypto drainer.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: REGISTRAR_NOT_FOUND
- IP: 104.18.50.34

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 3 hits
  Lists: ["OpenPhish", "PhishingArmy", "OISD"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/domains/pub-223719251411456dae7d3253c35184c9.r2.dev
- PhishDestroy: https://phishdestroy.io/domain/pub-223719251411456dae7d3253c35184c9.r2.dev/
- LLM endpoint: https://phishdestroy.io/domain/pub-223719251411456dae7d3253c35184c9.r2.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/pub-223719251411456dae7d3253c35184c9.r2.dev/
Last updated: 2026-04-04