# ripple-airdrop.duckdns.org — MALICIOUS

> Beware of ripple-airdrop.duckdns.org, a high-risk domain impersonating XRP. Stay protected and avoid this suspicious site flagged for social engineering.

## Summary
PhishDestroy has identified ripple-airdrop.duckdns.org as a malicious domain engaged in brand impersonation targeting the XRP cryptocurrency. Classified under brand impersonation threats, this domain attempts to deceive users by mimicking legitimate XRP-related services, likely aiming to trick victims into divulging sensitive information or digital assets.

Technical analysis reveals that ripple-airdrop.duckdns.org was registered on April 12, 2013, through Gandi SAS and resolves to the IP address 144.172.101.80. The domain appears on two security blocklists and has been flagged by 11 out of 95 security vendors on VirusTotal. Additionally, Google Safe Browsing categorizes it under social engineering threats, confirming its use in deceptive practices. The page title discovered was "Protected Page," which may have been used as a lure or to disguise malicious intent.

Currently, the domain is offline, indicating that mitigation efforts or takedown actions have been effective. Users and organizations are advised to remain vigilant against similar impersonation attempts and to verify any XRP-related communications through official channels. This incident underscores the importance of continuous monitoring and swift response to domains that exploit brand trust to facilitate fraud.

## Threat Details
- Verdict: MALICIOUS
- Site status: dead (HTTP 0)
- Scam type: Airdrop Scam
- Target brand: XRP
- Page title: Protected Page

## Domain Intelligence
- Registered: 2013-04-12 19:58:56
- Registrar: Gandi SAS
- Country: FR
- IP: 144.172.101.80
- IP Country: US
- IP City: Ogden
- IP Org: AS14956 RouterHosting LLC
- Nameservers: ["ns1.duckdns.org", "ns2.duckdns.org", "ns3.duckdns.org"]
- SSL Issuer: none

## Detection Status
- VirusTotal: 11 vendors flagged
  Vendors: ["BitDefender", "CRDF", "CyRadar", "ESET", "Fortinet", "G-Data", "Google Safebrowsing", "Gridinsoft", "Lionic", "Sophos", "Trustwave"]
- Google Safe Browsing: FLAGGED
- Blocklists: 2 hits
  Lists: ["PhishDestroy", "ScamSniffer"]

## Evidence
- Screenshot: https://urlscan.io/screenshots/01984b5f-faec-74f8-a3d9-6dabb01150fc.png
- PhishDestroy: https://phishdestroy.io/domain/ripple-airdrop.duckdns.org/
- LLM endpoint: https://phishdestroy.io/domain/ripple-airdrop.duckdns.org/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/ripple-airdrop.duckdns.org/
Last updated: 2026-03-19