# tea-rex.xyz — SUSPICIOUS

> tea-rex.xyz is a recently activated domain (March 31, 2026) linked to a live credential theft campaign. Resolves to 104.21.54.49 with 0/95 VirusTotal detections.

## Summary
tea-rex.xyz has been identified as a live phishing domain actively resolving to IP 104.21.54.49. VirusTotal currently shows 0 detections across 95 engines, suggesting it is not yet widely recognized by security tools. Registered via NICENIC INTERNATIONAL GROUP CO., LIMITED, the domain was created on March 31, 2026, and secured with a Let's Encrypt SSL certificate. This combination of fresh registration, minimal detection coverage, and dynamic hosting infrastructure strongly indicates a rapid-deployment credential theft campaign targeting unsuspecting users through spoofed login portals.  This domain exhibits multiple high-risk indicators consistent with active phishing operations. It resolves to IP 104.21.54.49, a hosting provider known for accommodating malicious traffic due to lax abuse controls. The domain was registered through NICENIC INTERNATIONAL GROUP CO., LIMITED, a registrar with historically high tolerance for fraudulent registrations. With 0 detections out of 95 VirusTotal scans and no presence on major blocklists as of this report, its threat level remains under investigation but is assessed as actively dangerous due to its early-stage deployment. The SSL certificate from Let's Encrypt further legitimizes the domain’s appearance to end-users, increasing the likelihood of successful credential harvesting. Time since registration (March 31, 2026) is minimal, suggesting this is either a newly activated domain or a recent hijack of an existing, compromised site.  To mitigate exposure, organizations should immediately block tea-rex.xyz and its resolving IP 104.21.54.49 at the network perimeter. Users who may have interacted with this domain should rotate all credentials entered on the site, enable multi-factor authentication on all accounts, and monitor for signs of account compromise. Security teams should increase monitoring for outbound connections to this IP and conduct phishing awareness training focusing on domains registered within the last 72 hours. Given the absence of detection coverage, manual inspection and behavioral analysis of any login pages hosted on this domain are strongly advised. This campaign is likely in its early propagation stage, and rapid response can significantly reduce potential victimization.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2026-03-31 12:56:41
- Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED
- IP: 104.21.54.49

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/e5e366f7-5826-428b-90fe-a32c18e710c8
- PhishDestroy: https://phishdestroy.io/domain/tea-rex.xyz/
- LLM endpoint: https://phishdestroy.io/domain/tea-rex.xyz/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/tea-rex.xyz/
Last updated: 2026-03-31