# pub-7b9dc54f172c4efbb2c731d4aa2f884a.r2.dev — MALICIOUS

> This R2.dev subdomain (pub-7b9dc54f172c4efbb2c731d4aa2f884a.r2.dev) hosts a fake login portal detected by 17 VirusTotal scanners; avoid entering personal data,.

## Summary
PhishDestroy identifies pub-7b9dc54f172c4efbb2c731d4aa2f884a.r2.dev as an active fake-login phishing domain designed to steal usernames, passwords, or payment details. Once visited, the page mimics a legitimate login or checkout interface, tricking users into typing sensitive information that is immediately harvested by attackers. This technique is often paired with fraudulent emails or messages to increase the chance of victim interaction. Because the domain leverages Cloudflare’s R2 storage subdomain, it can appear more convincing at first glance while still hosting malicious content behind the scenes.  This domain was flagged by PhishingArmy and OISD blocklists and is currently resolved to IP 104.18.50.34. VirusTotal reports that 17 out of 95 participating security vendors have already marked the domain as malicious. The SSL certificate issued by Let’s Encrypt helps the site display the padlock icon, increasing trust among unsuspecting visitors. The domain is registered through Cloudflare’s registrar and is part of a larger campaign that has been active since its creation; users should treat any interaction with this URL as hazardous until confirmed otherwise.  If you visited pub-7b9dc54f172c4efbb2c731d4aa2f884a.r2.dev, assume your credentials or payment details may have been compromised. Immediately change passwords for any accounts tied to the same email or username, enable two-factor authentication where possible, and review recent transaction histories for unauthorized charges. Run a full antivirus scan on your device and consider revoking any saved payment methods used on the site. Report the incident to your IT team or security provider and avoid clicking links or downloading files from similar URLs in the future. Staying vigilant and verifying domains through trusted sources can prevent further exposure to this and similar threats.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: REGISTRAR_NOT_FOUND
- IP: 104.18.50.34

## Detection Status
- VirusTotal: 17 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 2 hits
  Lists: ["PhishingArmy", "OISD"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/domains/pub-7b9dc54f172c4efbb2c731d4aa2f884a.r2.dev
- PhishDestroy: https://phishdestroy.io/domain/pub-7b9dc54f172c4efbb2c731d4aa2f884a.r2.dev/
- LLM endpoint: https://phishdestroy.io/domain/pub-7b9dc54f172c4efbb2c731d4aa2f884a.r2.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/pub-7b9dc54f172c4efbb2c731d4aa2f884a.r2.dev/
Last updated: 2026-04-02