# pub-9e2030303d9b43ffaedcde988f24645c.r2.dev — MALICIOUS

> pub-9e2030303d9b43ffaedcde988f24645c.r2.dev is a crypto drainer domain. VirusTotal flags this domain with a 19/95 detection score.

## Summary
PhishDestroy identifies pub-9e2030303d9b43ffaedcde988f24645c.r2.dev as an active domain engaged in generic phishing operations, specifically a crypto drainer kit designed to siphon cryptocurrency assets from unsuspecting users.

This domain resolves to the IP address 104.18.54.45 and is associated with a Let's Encrypt SSL certificate. Security vendor analysis via VirusTotal indicates a high detection rate with 19 out of 95 vendors flagging it as malicious. The domain was created recently and is currently registered under Cloudflare. Google Safe Browsing (GSB) has not yet marked this domain as unsafe, but it has already been blocked by two prominent security blocklists, including PhishingArmy and OISD. This combination of indicators suggests a rapidly evolving and actively distributed threat.

As of this advisory, pub-9e2030303d9b43ffaedcde988f24645c.r2.dev remains an active and elevated-risk domain. Immediate defensive actions include blocking the domain at the network perimeter and updating endpoint security solutions to include this indicator. Users are strongly advised to exercise extreme caution when encountering this domain or any associated URLs. While this domain is currently flagged, attackers often shift infrastructure to evade detection, so continued monitoring and proactive threat hunting remain critical. The residual risk remains significant due to the domain’s fresh registration, low GSB flagging, and active use in phishing campaigns.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: REGISTRAR_NOT_FOUND
- IP: 104.18.54.45

## Detection Status
- VirusTotal: 19 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 2 hits
  Lists: ["PhishingArmy", "OISD"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/a0bc420e-b080-4a6b-bea8-9e35738673dc
- PhishDestroy: https://phishdestroy.io/domain/pub-9e2030303d9b43ffaedcde988f24645c.r2.dev/
- LLM endpoint: https://phishdestroy.io/domain/pub-9e2030303d9b43ffaedcde988f24645c.r2.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/pub-9e2030303d9b43ffaedcde988f24645c.r2.dev/
Last updated: 2026-03-23