# treasury-buttcoin.com — SUSPICIOUS > PhishDestroy identifies treasury-buttcoin.com as an active crypto drainer impersonating legitimate crypto services. 2 out of 95 VirusTotal vendors flagged it. ## Summary treasury-buttcoin.com has been confirmed as an active crypto drainer domain designed to deceive users into transferring cryptocurrency to attacker-controlled wallets. The threat level is elevated due to the domain's recent creation, minimal detection coverage, and association with cryptocurrency drainer campaigns. This site specifically targets individuals interested in digital assets by mimicking legitimate crypto treasury or financial services, aiming to siphon funds under false pretenses. The risk is exacerbated by the domain's recency and limited visibility in security vendor databases, which often lag behind emerging threats in the fast-evolving crypto space. This domain was flagged by PhishDestroy with the following indicators: registered on March 14, 2026, resolving to IP 172.67.194.14, and secured with a Let's Encrypt SSL certificate. Only 2 out of 95 VirusTotal security vendors currently detect this domain as malicious, reflecting its low profile in threat intelligence feeds. The domain was registered through NICENIC INTERNATIONAL GROUP CO., LIMITED, a registrar known to host both legitimate and malicious domains, adding to the uncertainty of its legitimacy. Notably, the domain's brief operational history and lack of historical data provide attackers with a tactical advantage, as early-stage domains are often overlooked in automated defenses. Organizations and individuals should implement domain-based blocking via DNS or firewall rules to prevent user access to treasury-buttcoin.com and similar newly registered domains. Given the crypto drainer nature of this threat, users must be educated to verify URLs, avoid clicking on unsolicited links, and confirm the authenticity of crypto-related websites through official channels. Additionally, network defenders should monitor for connections to 172.67.194.14 and flag any SSL certificates issued by Let's Encrypt for domains with high-risk keywords such as 'buttcoin' or 'treasury' in combination with crypto-related terms. Proactive threat hunting for recently registered domains with low detection rates can help mitigate the risk of falling victim to such scams. Immediate remediation involves blacklisting the domain and IP while updating security policies to include crypto-drainer-specific detection rules. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registered: 2026-03-14 09:35:53 - Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED - IP: 172.67.194.14 ## Detection Status - VirusTotal: 2 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/c8ef8ed4-0f79-4316-9b85-f4433f15fb29 - PhishDestroy: https://phishdestroy.io/domain/treasury-buttcoin.com/ - LLM endpoint: https://phishdestroy.io/domain/treasury-buttcoin.com/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/treasury-buttcoin.com/ Last updated: 2026-03-22