# start-x-trezr-io.pages.dev — SUSPICIOUS

> Active crypto wallet drainer phishing domain start-x-trezr-io.pages.dev with 0/95 VirusTotal detections. Check the full report.

## Summary
PhishDestroy identifies an ongoing cryptocurrency wallet drainer campaign impersonating Trezor through the malicious domain start-x-trezr-io.pages.dev. This infrastructure employs a fake Trezor web wallet interface designed to steal private keys and drain victim assets. The threat actor leverages Cloudflare Pages for rapid deployment and evasion, while the domain resolution points to 172.66.47.111 through Google Trust Services SSL certificates. No drainer kit specifics are available from current telemetry, though behavioral analysis indicates standard clipboard hijacking and wallet connection spoofing functionality.  This domain was flagged during threat hunting operations with the following technical indicators: VirusTotal detection score remains 0/95 despite 32 behavioral rule evaluations, indicating zero detection as of the latest scan. The domain is registered through Cloudflare, Inc. with IP resolution to 172.66.47.111. Google Safe Browsing has not flagged this domain as of current intelligence, and no blocklist entries exist in open-source threat intelligence feeds. The infrastructure utilizes Google Trust Services certificates for HTTPS traffic obfuscation, adding legitimacy to phishing lures.  The campaign remains ACTIVE with confirmed malicious redirection paths. Immediate safety guidance includes blocking 172.66.47.111 at network firewalls and adding start-x-trezr-io.pages.dev to DNS sinkholes. Users should verify Trezor download sources exclusively through trezor.io domains and enable hardware wallet verification before transaction signing. Remaining risk is assessed as HIGH due to continued operation despite zero detections, with potential expansion across additional Cloudflare Pages instances. Response actions include takedown requests to Cloudflare Trust & Safety and coordination with Trezor security team for domain abuse reporting.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.47.111

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/337b7c8b-37a7-470e-b3a6-6377e09c5490
- PhishDestroy: https://phishdestroy.io/domain/start-x-trezr-io.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/start-x-trezr-io.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/start-x-trezr-io.pages.dev/
Last updated: 2026-03-23