# pub-b7fda1e0060f418199431736a36c9d53.r2.dev — MALICIOUS

> PhishDestroy identifies pub-b7fda1e0060f418199431736a36c9d53.r2.dev as a live crypto wallet login drainer kit. Check the full report.

## Summary
PhishDestroy’s forensic analysis identifies pub-b7fda1e0060f418199431736a36c9d53.r2.dev as a high-risk crypto wallet login phishing domain. The infrastructure mimics legitimate cloud-storage subdomains to harvest wallet credentials and seed phrases, classifying the threat as a drainer-kit rather than generic phishing. No specific brand is spoofed, but the landing page replicates common wallet-login UIs to deceive users into surrendering private keys. Creation appears automated, leveraging a randomized prefix to evade simple detection rules.

Technical indicators confirm hostile intent: VirusTotal records 20/95 security vendors flagging the domain, while public blocklists from OpenPhish, PhishingArmy, and OISD already block access. The domain resolves to IPv4 address 104.18.54.45 and is secured by a Let’s Encrypt SSL certificate. The registrar remains unconfirmed, but the domain’s age suggests recent registration aimed at short-lived campaigns. Google Safe Browsing has not yet marked the domain as malicious, leaving a window for continued exploitation.

The domain remains active as of this report, with active takedown requests submitted to the hosting provider and registrar. Despite these actions, the risk level stays high due to the drainer kit’s ability to exfiltrate cryptocurrency in real time. Users are strongly advised to verify wallet URLs via official channels, enable hardware wallet authentication, and immediately revoke any exposed seed phrases. Continuous monitoring shows the domain continues to resolve, indicating an unresolved threat requiring urgent user vigilance.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: REGISTRAR_NOT_FOUND
- IP: 104.18.54.45

## Detection Status
- VirusTotal: 20 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 3 hits
  Lists: ["OpenPhish", "PhishingArmy", "OISD"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/14838368-4bd0-4949-b871-30886658132b
- PhishDestroy: https://phishdestroy.io/domain/pub-b7fda1e0060f418199431736a36c9d53.r2.dev/
- LLM endpoint: https://phishdestroy.io/domain/pub-b7fda1e0060f418199431736a36c9d53.r2.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/pub-b7fda1e0060f418199431736a36c9d53.r2.dev/
Last updated: 2026-03-27