# pub-4e9d559e11c54314b7639d20c3d13682.r2.dev — MALICIOUS

> pub-4e9d559e11c54314b7639d20c3d13682.r2.dev is a crypto drainer phishing domain flagged by 20/95 VirusTotal vendors. Avoid this high-risk site immediately.

## Summary
PhishDestroy identifies pub-4e9d559e11c54314b7639d20c3d13682.r2.dev as an active crypto drainer scam designed to steal cryptocurrency from unsuspecting users. This domain employs deceptive tactics to trick victims into connecting their wallets or entering private keys, enabling attackers to drain funds directly. The infrastructure is engineered to mimic legitimate cloud storage services through its Cloudflare R2 domain pattern, which lends false credibility to the phishing attempt. Users who interact with this domain risk irreversible financial loss, as crypto drainers often automate unauthorized transfers once wallet connections are established.  This domain was flagged by 20 out of 95 VirusTotal security vendors and appears on 6 major blocklists including OpenPhish, MetaMask, PhishingArmy, SEAL, and PhishingDB. The domain resolves to IP 104.18.54.45 and is secured with a Let's Encrypt SSL certificate, which it uses to appear legitimate. These technical indicators, combined with the high-risk classification, confirm its malicious intent. The domain's recent activity and multi-vendor detection underscore its ongoing threat to users engaging with cryptocurrency platforms.  If you visited pub-4e9d559e11c54314b7639d20c3d13682.r2.dev, immediately revoke any wallet connections using tools like Revoke.cash or your wallet's built-in connection manager. Scan your device with reputable antivirus software like Malwarebytes or Windows Defender to detect any installed malware. Report the domain to your wallet provider and local cybercrime units. Avoid interacting with any prompts or requests for private keys or seed phrases. Stay vigilant by using hardware wallets and verifying URLs through official channels before taking any action.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: REGISTRAR_NOT_FOUND
- IP: 104.18.54.45

## Detection Status
- VirusTotal: 20 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 6 hits
  Lists: ["OpenPhish", "MetaMask", "PhishingArmy", "SEAL", "PhishingDB", "OISD"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/ba32ebd0-cdd7-45b7-90d0-2f02c8594794
- PhishDestroy: https://phishdestroy.io/domain/pub-4e9d559e11c54314b7639d20c3d13682.r2.dev/
- LLM endpoint: https://phishdestroy.io/domain/pub-4e9d559e11c54314b7639d20c3d13682.r2.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/pub-4e9d559e11c54314b7639d20c3d13682.r2.dev/
Last updated: 2026-03-27