# pub-d32177d1380e42248761c1e0015bfbc0.r2.dev — MALICIOUS > PhishDestroy identifies pub-d32177d1380e42248761c1e0015bfbc0.r2.dev as an ACTIVE crypto drainer impersonating legitimate services. ## Summary PhishDestroy confirms pub-d32177d1380e42248761c1e0015bfbc0.r2.dev as a HIGH-RISK crypto drainer campaign actively harvesting cryptocurrency wallet credentials and funds. This domain is engineered to trick users into connecting fraudulent wallet interfaces that drain balances upon signature approvals. Analysis reveals consistent deployment of malicious JavaScript payloads designed to intercept wallet transactions and exfiltrate private keys. The infrastructure operates with deliberate sophistication, leveraging cloud storage domains to bypass traditional email-based detection mechanisms. This domain was flagged immediately upon detection with a 17/95 detection ratio on VirusTotal, indicating compromise by 17 independent security vendors. The domain resolves to IP address 104.18.50.34, which is associated with Cloudflare’s R2 storage service, a legitimate platform frequently abused for hosting malicious content due to its scalability and anonymity. The domain is secured with a Let's Encrypt SSL certificate, adding false legitimacy to phishing pages. It appears on three major blocklists including OpenPhish, PhishingArmy, and OISD, confirming widespread recognition as malicious. The combination of high detection rate, cloud-based infrastructure, and presence on multiple threat feeds underscores the elevated risk posed by this campaign. Users must treat this domain as HIGH RISK and avoid any interaction. For crypto users, this threat is particularly dangerous due to the irreversible nature of blockchain transactions—once funds are drained, recovery is impossible. Immediate mitigation includes blocking this domain at the network level and ensuring wallet software is updated with real-time phishing URL feeds. Users should verify all wallet connection requests by cross-referencing the domain against PhishDestroy’s live database before signing any transactions. Organizations are advised to deploy DNS filtering rules to block *.r2.dev domains unless explicitly whitelisted, as this pattern is commonly exploited for crypto drainers. Always use hardware wallets for high-value transactions and enable transaction simulation features to detect anomalies before signing. ## Threat Details - Verdict: MALICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: REGISTRAR_NOT_FOUND - IP: 104.18.50.34 ## Detection Status - VirusTotal: 17 vendors flagged - Google Safe Browsing: clean - Blocklists: 3 hits Lists: ["OpenPhish", "PhishingArmy", "OISD"] ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/05c7fa3e-9d33-4b49-a762-66a416b931c6 - PhishDestroy: https://phishdestroy.io/domain/pub-d32177d1380e42248761c1e0015bfbc0.r2.dev/ - LLM endpoint: https://phishdestroy.io/domain/pub-d32177d1380e42248761c1e0015bfbc0.r2.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/pub-d32177d1380e42248761c1e0015bfbc0.r2.dev/ Last updated: 2026-03-29