# toolbox-c6r.pages.dev — SUSPICIOUS

> PhishDestroy flags toolbox-c6r.pages.dev as a crypto drainer landing page with 0/95 VirusTotal detections.

## Summary
PhishDestroy identifies toolbox-c6r.pages.dev as an active crypto drainer landing page designed to trick visitors into connecting their wallets and signing malicious transactions. This fake login portal masquerades as a legitimate toolbox interface, aiming to harvest private keys or authorize unauthorized transfers. The domain leverages Cloudflare Pages hosting to evade traditional email security filters and employs HTTPS with a Google Trust Services certificate to appear trustworthy at a glance. Once a victim connects their wallet or enters recovery phrases, the drainer silently transfers assets to attacker-controlled addresses, often draining entire portfolios within minutes. This method bypasses traditional phishing detection by using legitimate hosting infrastructure and SSL certificates, making it particularly dangerous for cryptocurrency users seeking quick access to tools or services.  

This domain was flagged by PhishDestroy with 0 detections out of 95 VirusTotal scans as of the latest analysis, indicating it currently evades most automated detection systems. The page is hosted on Cloudflare Pages via the domain toolbox-c6r.pages.dev and resolves to IP 172.66.44.229. While the exact registration date is not publicly disclosed, the use of Cloudflare Pages suggests recent creation, as attackers often prefer this service for its low cost and rapid deployment capabilities. The presence of a Google Trust Services SSL certificate further complicates detection, as users often equate HTTPS with safety, overlooking the fact that certificates can be obtained by anyone for any domain. These technical choices indicate a sophisticated operator who understands how to blend malicious activity with legitimate infrastructure.  

If you visited toolbox-c6r.pages.dev or entered any information on the page, disconnect your wallet immediately using your wallet’s official disconnect function. Do not approve any unexpected transaction requests, even if they appear to come from legitimate services. Revoke any wallet permissions granted to unknown or suspicious domains through your wallet’s settings or third-party tools like revoke.cash. Scan your device for malware using reputable antivirus software, as malicious browser extensions or trojans may have been installed. Report the domain to PhishDestroy and your wallet provider to help block further attacks. Monitor your transaction history and wallet balances closely over the next few days for any unauthorized activity. Stay vigilant by always verifying links through official channels and using PhishDestroy’s real-time threat database before interacting with unknown domains.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.44.229

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/31533e49-9076-4b69-b9a5-0c4439dc502b
- PhishDestroy: https://phishdestroy.io/domain/toolbox-c6r.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/toolbox-c6r.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/toolbox-c6r.pages.dev/
Last updated: 2026-03-27