# rbxdeals.roblox-635.workers.dev — MALICIOUS

> PhishDestroy detects rbxdeals.roblox-635.workers.dev hosting a crypto drainer impersonating Roblox with 5/95 VirusTotal flags. Block this domain immediately.

## Summary
PhishDestroy identifies active crypto-draining infrastructure impersonating Roblox at rbxdeals.roblox-635.workers.dev. The page masquerades as a Roblox rewards generator to trick users into connecting wallets and signing malicious transactions, characteristic of “free crypto” phishing kits. The domain leverages Cloudflare’s Workers service to evade traditional hosting-based detection while presenting a spoofed Roblox-branded interface to harvest private keys and drain balances.  This domain was flagged by PhishDestroy with the following technical indicators: VirusTotal detection score 5/95 security vendors, Cloudflare registrar, IP 188.114.96.3, SSL certificate issued by Let’s Encrypt, and presence on multiple threat-intelligence blocklists. Creation occurred within the Cloudflare Workers subdomain namespace, allowing rapid evasion through disposable subdomain churn. Google Safe Browsing currently lists the domain as unsafe, and third-party threat feeds cumulatively report 12 detections across VirusTotal, URLVoid, and OpenPhish.  Current status is active and propagating through social media and gaming forums. Immediate user action includes blocking the domain at DNS/endpoint level and revoking any wallet connections made while visiting. Remaining risk is elevated due to the kit’s ability to mutate via Workers subdomains; continuous monitoring and proactive takedown requests to Cloudflare are recommended. Users should verify all “free Roblox” links via official channels and never connect wallets to unverified sites.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 188.114.96.3

## Detection Status
- VirusTotal: 5 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/11a75168-ba90-46ce-8ae9-05719890646a
- PhishDestroy: https://phishdestroy.io/domain/rbxdeals.roblox-635.workers.dev/
- LLM endpoint: https://phishdestroy.io/domain/rbxdeals.roblox-635.workers.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/rbxdeals.roblox-635.workers.dev/
Last updated: 2026-03-27