# ratel-website.pages.dev — SUSPICIOUS > ratel-website.pages.dev hosts a live crypto wallet drainer phishing page with 0/95 VirusTotal detections. Check the full report. ## Summary PhishDestroy identifies an active phishing campaign at ratel-website.pages.dev, a recently registered domain leveraging Cloudflare Pages to distribute a generic cryptocurrency wallet drainer kit. The page masquerades as a legitimate service but is designed to siphon digital assets from unwitting victims. No specific brand or service is being impersonated in this iteration, indicating a broad, opportunistic approach targeting crypto users. The drainer kit is a ready-to-deploy JavaScript-based toolkit commonly sold on underground forums, capable of intercepting wallet connection requests and prompting fraudulent transactions. This campaign is likely part of a wider operation using free Cloudflare infrastructure to evade early detection and maintain operational flexibility. The threat actor appears to be testing deployment vectors before scaling the operation or pivoting to more recognizable brand impersonations. This domain was flagged by PhishDestroy with the following technical indicators: it resolves to IP address 172.66.47.49, is registered through Cloudflare, Inc., and carries a Google Trust Services SSL certificate. As of the latest scan, it has 0 detections out of 95 on VirusTotal, indicating no immediate detection by antivirus engines. The domain appears to be newly registered, though the exact creation date is still under verification. It remains unlisted on Google Safe Browsing (GSB) and has not yet been added to major blocklists. The combination of Cloudflare’s free tier infrastructure, a legitimate-issued SSL certificate, and zero detections suggests this campaign is in its early operational phase, likely designed to evade automated detection mechanisms while preparing for broader deployment. The campaign is currently active and under active investigation by PhishDestroy’s threat intelligence team. Immediate response actions include sharing IOCs with trusted threat intelligence partners, submitting the domain to GSB for review, and coordinating with Cloudflare’s abuse team for takedown. Despite these efforts, the domain remains accessible and poses a moderate but evolving risk to cryptocurrency users. Remaining risk factors include the domain’s legitimate SSL certificate, use of Cloudflare’s reputable infrastructure, and the drainer kit’s proven effectiveness in prior campaigns. Users are strongly advised to verify website authenticity via official channels, avoid clicking unsolicited links, and use hardware wallets or transaction simulation tools when transferring digital assets. Organizations are urged to update browser blocklists and deploy network-level protections to mitigate exposure. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 172.66.47.49 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/ratel-website.pages.dev - PhishDestroy: https://phishdestroy.io/domain/ratel-website.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/ratel-website.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/ratel-website.pages.dev/ Last updated: 2026-04-02