# rocketpool-3xb.pages.dev — SUSPICIOUS

> rocketpool-3xb.pages.dev is a suspected brand impersonation domain targeting Rocket Pool (crypto drainer). VirusTotal shows 0/95 detections.

## Summary
PhishDestroy identifies rocketpool-3xb.pages.dev as an active brand impersonation domain masquerading as Rocket Pool, a liquid staking protocol for Ethereum. This domain employs deceptive naming conventions to mimic official Rocket Pool infrastructure, likely aiming to deceive users into connecting cryptocurrency wallets or entering sensitive credentials under false pretenses. The threat actor leverages Cloudflare Pages to host the impersonation page, a common tactic to exploit legitimate cloud services for malicious hosting. While the specific drainer kit remains unverified at this stage, the domain’s structure and targeting strongly suggest an imminent crypto-draining operation.  

This domain resolves to IP address 188.114.96.3, hosted by Cloudflare, Inc., and is secured with a Google Trust Services SSL certificate, which may enhance its perceived legitimacy to non-technical users. As of current analysis, VirusTotal reports 0 detections out of 95 scanners, indicating a low detection rate despite malicious intent. The domain is registered through Cloudflare, Inc., a legitimate registrar, which complicates takedown efforts due to Cloudflare’s abuse mitigation policies. No blocklist entries have been recorded, and the domain remains under active investigation. The Google Safe Browsing (GSB) status is currently unknown, but the absence of detections suggests it has not yet been flagged by major threat intelligence platforms.  

Currently, rocketpool-3xb.pages.dev is active and poses a high-risk threat to users, particularly those engaged in decentralized finance (DeFi) or cryptocurrency staking. The domain’s low detection rate and use of Cloudflare Pages highlight the evolving tactics of threat actors to evade detection. While no confirmed drainer kit has been identified, the impersonation of Rocket Pool—a well-known staking protocol—indicates a targeted campaign likely aimed at draining user wallets or harvesting credentials. Users are advised to avoid interacting with this domain and report it to relevant authorities (e.g., Google Safe Browsing, Rocket Pool’s official channels, or threat intelligence platforms). Security teams should monitor for similar domains and consider proactively blocking the IP and domain to mitigate potential exposure. The remaining risk is classified as high due to the domain’s active status and lack of detections.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)
- Target brand: Rocket Pool

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 188.114.96.3

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/91a4cdf3-514e-434c-88c2-740f28fda480
- PhishDestroy: https://phishdestroy.io/domain/rocketpool-3xb.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/rocketpool-3xb.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/rocketpool-3xb.pages.dev/
Last updated: 2026-03-31