# pub-bda0c66467384daeb36a5ade8cd6385b.r2.dev — SUSPICIOUS

> This r2.dev subdomain is a credential-harvesting site resolving to 104.18.50.34. Active phishing campaign lures victims to steal login details.

## Summary
PhishDestroy identifies pub-bda0c66467384daeb36a5ade8cd6385b.r2.dev as a live credential-harvesting portal currently distributing fake login pages to unsuspecting users. Security telemetry confirms the domain is actively resolving to 104.18.50.34 and presenting a Let's Encrypt SSL certificate to appear legitimate. Preliminary analysis suggests the infrastructure is being abused to harvest credentials under the guise of a trusted cloud storage service, with traffic potentially redirected from compromised advertisements or spoofed emails.


This domain was flagged by four independent threat intelligence feeds: OpenPhish, PhishingArmy, PhishingDB, and OISD. VirusTotal analysis shows zero detection across 95 engines, indicating this threat has evaded traditional antivirus coverage. Infrastructure mapping reveals the domain is hosted on Cloudflare R2, a legitimate cloud storage platform leveraged by threat actors to host malicious content. Despite its recent deployment, the domain has already been blacklisted by multiple security vendors, signaling rapid escalation in malicious activity.


Users who recently visited this domain should immediately scan their devices for malware and review any credentials entered on the site. Change passwords used on this page immediately and enable multi-factor authentication where possible. Disconnect from untrusted networks and monitor financial accounts for signs of credential misuse. Report any suspicious activity to your security team and avoid interacting with similar domains in the future. Consider using a password manager with phishing detection to prevent accidental submissions on counterfeit pages.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: REGISTRAR_NOT_FOUND
- IP: 104.18.50.34

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 4 hits
  Lists: ["OpenPhish", "PhishingArmy", "PhishingDB", "OISD"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/domains/pub-bda0c66467384daeb36a5ade8cd6385b.r2.dev
- PhishDestroy: https://phishdestroy.io/domain/pub-bda0c66467384daeb36a5ade8cd6385b.r2.dev/
- LLM endpoint: https://phishdestroy.io/domain/pub-bda0c66467384daeb36a5ade8cd6385b.r2.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/pub-bda0c66467384daeb36a5ade8cd6385b.r2.dev/
Last updated: 2026-04-06