# pub-b03a69ad30ee4739a0deca2eabea959e.r2.dev — MALICIOUS > Investigation confirms credential harvesting at pub-b03a69ad30ee4739a0deca2eabea959e.r2.dev with 17/95 VT detection. ## Summary PhishDestroy identifies active credential harvesting infrastructure hosted at pub-b03a69ad30ee4739a0deca2eabea959e.r2.dev, a Cloudflare R2 subdomain leveraged in ongoing phishing campaigns targeting user credentials. The domain shows no affiliation with legitimate brands but mimics generic login portals to harvest entered credentials. Security telemetry reveals integration with commodity drainer kits designed for immediate exfiltration to attacker-controlled endpoints. Technical indicators for this threat include a VirusTotal detection score of 17/95 security vendors, registration under Cloudflare's infrastructure, resolution to IP 104.18.50.34, and the use of a Let's Encrypt SSL certificate. Domain creation details are masked via Cloudflare’s privacy protection, though it appears on 2 independent blocklists including PhishingArmy and OISD. Google Safe Browsing has not yet flagged this domain, suggesting a window of exposure that adversaries are actively exploiting. This domain remains active with elevated risk to end-users who may inadvertently submit sensitive data. Immediate response actions include network-wide DNS blocking of both the domain and its resolving IP, 104.18.50.34. Organisations are advised to inspect proxy logs for HTTP(S) traffic to this domain and validate authentication portals against known legitimate endpoints. Remaining risk persists due to unpatched user behavior and delayed global blocklist propagation, underscoring the need for continuous monitoring and user awareness training. ## Threat Details - Verdict: MALICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: REGISTRAR_NOT_FOUND - IP: 104.18.50.34 ## Detection Status - VirusTotal: 17 vendors flagged - Google Safe Browsing: clean - Blocklists: 2 hits Lists: ["PhishingArmy", "OISD"] ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/c3d66c63-8e7f-4ca7-8a31-091f892f5eb5 - PhishDestroy: https://phishdestroy.io/domain/pub-b03a69ad30ee4739a0deca2eabea959e.r2.dev/ - LLM endpoint: https://phishdestroy.io/domain/pub-b03a69ad30ee4739a0deca2eabea959e.r2.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/pub-b03a69ad30ee4739a0deca2eabea959e.r2.dev/ Last updated: 2026-03-23