# slon3at-2at.ru — SUSPICIOUS

> slon3at-2at.ru hosts active crypto drainer malware targeting digital wallets. Check the full report for detailed IOCs and safety guidance.

## Summary
PhishDestroy identifies slon3at-2at.ru as a malicious domain engaged in cryptocurrency wallet drainer operations, a specialized form of phishing designed to illicitly transfer funds from victims' crypto wallets. The domain leverages deceptive tactics to impersonate legitimate services, tricking users into connecting their wallets and authorizing fraudulent transactions. No specific brand impersonation or drainer kit variant is currently documented in open sources, but the domain's infrastructure suggests a focus on crypto-related fraud. The threat actor behind this domain remains under active investigation to determine additional campaign details, such as targeted platforms or wallet types.  This domain was flagged with a 0/95 VirusTotal detection score as of the latest scan, indicating it has not yet been widely recognized by antivirus engines. It was registered through REGRU-RU on March 09, 2026, and resolves to IP address 205.185.113.136. The domain utilizes a Let's Encrypt SSL certificate to appear legitimate, and its recent creation date suggests a potentially short-lived or opportunistic campaign. At the time of analysis, this domain has not been flagged by Google Safe Browsing (GSB) and remains unlisted on major threat intelligence blocklists. These factors contribute to a high-risk profile for unsuspecting users, particularly those engaging in cryptocurrency transactions.  As of this report, slon3at-2at.ru is classified as an active threat with an 'under_investigation' status, meaning its full operational scope and infrastructure remain under scrutiny. Users are strongly advised to avoid interacting with this domain or any associated links, as the primary risk involves unauthorized cryptocurrency transfers from connected wallets. Immediate actions include blocking the domain at the network level and reporting it to relevant cybersecurity platforms or financial institutions. While the immediate risk to users is high due to its active status and low detection rate, ongoing monitoring will refine the threat assessment. Users should remain vigilant for similar domains and verify website authenticity through trusted sources before engaging in financial transactions.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2026-03-09 01:07:06
- Registrar: REGRU-RU
- IP: 205.185.113.136

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/709a6c32-25e2-424b-98a2-747b7b4a3787
- PhishDestroy: https://phishdestroy.io/domain/slon3at-2at.ru/
- LLM endpoint: https://phishdestroy.io/domain/slon3at-2at.ru/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/slon3at-2at.ru/
Last updated: 2026-03-28