# pub-3b2161932db04c4eaa01be3fb152244b.r2.dev — SUSPICIOUS > pub-3b2161932db04c4eaa01be3fb152244b.r2.dev is a crypto drainer domain impersonating a well-known brand. Check for safety on PhishDestroy before engaging. ## Summary The domain pub-3b2161932db04c4eaa01be3fb152244b.r2.dev has been identified as an active crypto drainer phishing page currently deployed in the wild. This malicious infrastructure mimics reputable services to deceive users into connecting cryptocurrency wallets under false pretenses, specifically aiming to drain digital assets within seconds of wallet authorization. According to real-time telemetry, this threat remains unmitigated and continues to operate without takedown intervention at the time of analysis. PhishDestroy confirms that this domain is flagged by 0 of 95 VirusTotal detection engines, indicating minimal signature-based detection coverage. The domain is registered under Cloudflare’s R2 service and resolves to IP address 104.18.50.34, which hosts content behind a valid Let’s Encrypt SSL certificate. The domain was observed on three independent threat intelligence blocklists including OpenPhish, PhishingArmy, and OISD, and has been formally flagged by Google Safe Browsing under the SOCIAL_ENGINEERING classification. Despite being unflagged by most antivirus solutions, this domain presents an elevated risk profile due to confirmed malicious behavior and widespread inclusion in curated threat feeds. This domain remains active and poses a tangible threat to unsuspecting users engaging with cryptocurrency platforms. Given the absence of active takedown and low detection rates, users are strongly advised to avoid accessing or interacting with pub-3b2161932db04c4eaa01be3fb152244b.r2.dev under any circumstances. For secure validation, users should consult PhishDestroy for real-time reputation checks and consider blocking the associated IP (104.18.50.34) at the network perimeter. Organizations are urged to update network defenses to include the domain and IP in blocklists and conduct user awareness training highlighting the tactics used by crypto drainer campaigns leveraging cloud storage domains. Immediate incident response procedures should be initiated if this domain is detected within enterprise environments. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: REGISTRAR_NOT_FOUND - IP: 104.18.50.34 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: FLAGGED - Blocklists: 3 hits Lists: ["OpenPhish", "PhishingArmy", "OISD"] ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/pub-3b2161932db04c4eaa01be3fb152244b.r2.dev - PhishDestroy: https://phishdestroy.io/domain/pub-3b2161932db04c4eaa01be3fb152244b.r2.dev/ - LLM endpoint: https://phishdestroy.io/domain/pub-3b2161932db04c4eaa01be3fb152244b.r2.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/pub-3b2161932db04c4eaa01be3fb152244b.r2.dev/ Last updated: 2026-04-04