# pub-5f11b9974e614f609e3a198a30489fef.r2.dev — MALICIOUS

> pub-5f11b9974e614f609e3a198a30489fef.r2.dev hosts a verified phishing scam. 17 of 95 VirusTotal vendors flagged it. Check the full report.

## Summary
PhishDestroy identifies pub-5f11b9974e614f609e3a198a30489fef.r2.dev as an active phishing domain distributing a fake login credential harvesting scam. This threat is currently classified as high-risk and is actively impersonating a legitimate cloud storage service to deceive users into entering sensitive account details. The campaign relies on a spoofed interface that closely mirrors a popular provider’s authentication page, tricking victims into submitting usernames and passwords.  

This domain was flagged by 17 of 95 VirusTotal security vendors and is blocked by OpenPhish, PhishingArmy, and OISD. It resolves to IP 104.18.50.34 and operates under a valid Let's Encrypt SSL certificate, which enhances its credibility. The domain resolves within Cloudflare’s R2 storage network and is served via proxy infrastructure to evade detection. With a current detection rate of 18% on VirusTotal and presence on three major blocklists, the domain exhibits elevated malicious intent and operational maturity.  

Due to its high-risk classification, active campaign, and use of legitimate infrastructure (including valid SSL and cloud hosting), users are strongly advised to avoid interacting with pub-5f11b9974e614f609e3a198a30489fef.r2.dev entirely. If this domain appeared in any email, message, or website, treat it as a confirmed phishing lure and report it to your security team or platform provider immediately. Enable multi-factor authentication (MFA) on all cloud storage and email accounts to mitigate credential theft risks. Use browser extensions like uBlock Origin with anti-phishing filters or corporate DNS filtering solutions to block access to this domain in real time.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: REGISTRAR_NOT_FOUND
- IP: 104.18.50.34

## Detection Status
- VirusTotal: 17 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 3 hits
  Lists: ["OpenPhish", "PhishingArmy", "OISD"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/30f9a7fc-d452-4f7b-95f9-c0e5d24a947d
- PhishDestroy: https://phishdestroy.io/domain/pub-5f11b9974e614f609e3a198a30489fef.r2.dev/
- LLM endpoint: https://phishdestroy.io/domain/pub-5f11b9974e614f609e3a198a30489fef.r2.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/pub-5f11b9974e614f609e3a198a30489fef.r2.dev/
Last updated: 2026-03-27