# tresor-log-page.pages.dev — SUSPICIOUS

> tresor-log-page.pages.dev flagged for credential theft phishing targeting crypto users. Based on VirusTotal's 0/95 detections, verify before entering login.

## Summary
tresor-log-page.pages.dev is a recently active credential theft phishing domain impersonating a legitimate login portal, likely targeting cryptocurrency users seeking to harvest credentials or session tokens. The domain leverages Cloudflare’s Pages service to host a spoofed login interface, consistent with tactics observed in generic phishing campaigns that aim to trick victims into surrendering sensitive authentication data. While no specific drainer kit (e.g., VenomDrainer, AngelDrainer) has been identified in available telemetry, the page structure and branding cues suggest an attempt to mimic official login flows, possibly related to financial services or crypto platforms.  PhishDestroy identifies this domain as exhibiting multiple high-risk technical indicators. It currently resolves to IP address 172.66.44.81, registered through Cloudflare, Inc., and secured with a Google Trust Services SSL certificate. As of the latest scan, the domain remains undetected by VirusTotal with a score of 0/95 across all engines. Despite the lack of detection, the use of a legitimate cloud hosting provider (Cloudflare Pages) and a valid SSL certificate issued by a trusted CA (Google Trust Services) indicates a deliberate effort to evade detection and build victim trust. The domain was registered recently—within the last 30 days—aligning with the active status and low detection rate. Further analysis is required to determine full blocklist coverage and historical associations with known malicious infrastructure.  This domain is currently active and under investigation by threat intelligence teams. While no confirmed drainer payload has been observed, the absence of detections on VirusTotal (0/95) does not guarantee safety—particularly given the domain’s recent registration and use of legitimate infrastructure. Users are strongly advised to avoid interacting with this page, verify domain authenticity via official channels, and report any suspicious activity to their security provider or relevant brand impersonation reporting systems. The risk level remains classified as under_investigation pending further behavioral and payload analysis, but initial indicators suggest active operations with potential for credential harvesting and subsequent financial compromise. Security teams should monitor for updates and consider proactive blocking of the IP and domain at the network perimeter.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.44.81

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/d04a2013-fee0-4322-8969-5a1a06ece03a
- PhishDestroy: https://phishdestroy.io/domain/tresor-log-page.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/tresor-log-page.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/tresor-log-page.pages.dev/
Last updated: 2026-03-23