# pub-485c938c1a1b43b2bbc5b99155f2de68.r2.dev — MALICIOUS > pub-485c938c1a1b43b2bbc5b99155f2de68.r2.dev flagged by 16/95 VirusTotal engines for credential theft phishing. Check the full report. ## Summary PhishDestroy identifies pub-485c938c1a1b43b2bbc5b99155f2de68.r2.dev as a high-risk domain hosting a credential-stealing phishing campaign designed to harvest login credentials under the guise of a legitimate service page. The infrastructure mimics cloud storage or login portals, tricking users into entering sensitive credentials which are immediately exfiltrated to attacker-controlled servers. This domain was flagged by multiple threat intelligence platforms after multiple reports indicated successful user deception through spoofed login forms hosted on seemingly trusted cloud domains. The attackers behind this campaign are likely targeting personal accounts, corporate logins, or SaaS platforms, leveraging stolen credentials for account takeover, data exfiltration, or further lateral movement within compromised networks. The use of a cloud object storage domain (r2.dev) adds legitimacy to the phishing lure, increasing the likelihood of user engagement. This domain is confirmed malicious based on strong indicators of compromise: it appears on 4 separate security blocklists, including OpenPhish, PhishingArmy, PhishingDB, and OISD. VirusTotal analysis shows 16 out of 95 participating security vendors have flagged this domain as malicious, with detection names including credential phishing, data harvesting, and fraudulent login page. The domain resolves to IP address 104.18.50.34, a Cloudflare edge node commonly used to host dynamic or spoofed content. The SSL certificate issued by Let's Encrypt suggests an attempt to appear legitimate, though the domain’s structure (random hex prefix + .r2.dev) is inconsistent with official Cloudflare services. While the specific registrar and creation date are not disclosed in available intelligence, the combination of high detection rate, multi-platform blocking, and active phishing behavior strongly indicates a recently activated threat actor infrastructure. Users who have visited this domain—particularly if they entered any login credentials—should immediately change passwords for the affected account and enable multi-factor authentication where available. Scan all devices used to access the site for malware, keyloggers, or unauthorized access. Report any compromised accounts to the relevant service provider and monitor for unusual activity. Avoid reusing passwords across platforms. If credentials were entered into a fake login form, consider notifying your organization’s security team if this was a work-related login. This domain remains active; block it at the network and browser level to prevent repeated exposure. ## Threat Details - Verdict: MALICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: REGISTRAR_NOT_FOUND - IP: 104.18.50.34 ## Detection Status - VirusTotal: 16 vendors flagged - Google Safe Browsing: clean - Blocklists: 4 hits Lists: ["OpenPhish", "PhishingArmy", "PhishingDB", "OISD"] ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/950be849-a629-4416-9428-f769f8f4b9b5 - PhishDestroy: https://phishdestroy.io/domain/pub-485c938c1a1b43b2bbc5b99155f2de68.r2.dev/ - LLM endpoint: https://phishdestroy.io/domain/pub-485c938c1a1b43b2bbc5b99155f2de68.r2.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/pub-485c938c1a1b43b2bbc5b99155f2de68.r2.dev/ Last updated: 2026-03-27