# sso--atomic-wallet--cdn--auth.webflow.io — MALICIOUS

> PhishDestroy identifies sso--atomic-wallet--cdn--auth.webflow.io as an active crypto drainer impersonating Atomic Wallet.

## Summary
PhishDestroy identifies an active crypto_drainer campaign hosted at sso--atomic-wallet--cdn--auth.webflow.io that specifically impersonates Atomic Wallet authentication infrastructure. This domain leverages a fraudulent Webflow subdomain to deceive users into entering seed phrases or private keys under the guise of wallet recovery or account synchronization. Upon interaction, the campaign harvests credentials and executes unauthorized transactions to drain cryptocurrency holdings, posing a severe financial risk to unsuspecting victims. Technical analysis confirms the domain resolves to IP 172.64.151.8 and operates under Google Trust Services SSL certification, increasing its perceived legitimacy to potential targets.  This domain exhibits elevated threat indicators with concrete evidence of malicious intent. VirusTotal analysis reveals 11 out of 95 security vendors flagged this domain as malicious, indicating partial detection but not universal protection. The infrastructure relies on Webflow’s content delivery network to host the fraudulent authentication portal, exploiting legitimate service providers to evade basic blocking mechanisms. While specific registration details remain obscured, the active status combined with high-risk behavior patterns confirms ongoing exploitation. Users interacting with this domain risk immediate financial loss through cryptocurrency theft, as the campaign is designed to capture private keys or seed phrases for unauthorized wallet access.  Users who visited sso--atomic-wallet--cdn--auth.webflow.io should immediately cease all interaction with the domain and assess any entered credentials or wallet information for compromise. If seed phrases, private keys, or account passwords were entered, transfer remaining assets to a newly generated wallet with strong security measures and revoke any delegated permissions. Enable hardware wallet authentication and multi-signature protections where possible. Report the domain to your antivirus provider and block IP 172.64.151.8 at the network perimeter to prevent further exposure. Monitor wallet transactions for suspicious activity and consider initiating fraud alerts with relevant cryptocurrency platforms. Cryptocurrency users must treat all unsolicited authentication portals with heightened skepticism, verifying domains through official channels before entering sensitive information.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: REGISTRAR_NOT_FOUND
- IP: 172.64.151.8

## Detection Status
- VirusTotal: 11 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/7e95433c-77e6-4322-ba22-41541947e3cd
- PhishDestroy: https://phishdestroy.io/domain/sso--atomic-wallet--cdn--auth.webflow.io/
- LLM endpoint: https://phishdestroy.io/domain/sso--atomic-wallet--cdn--auth.webflow.io/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/sso--atomic-wallet--cdn--auth.webflow.io/
Last updated: 2026-03-24