# trezoor-hardwhere-wellat-public.pages.dev — SUSPICIOUS > Domain trezoor-hardwhere-wellat-public.pages.dev impersonates Trezor hardware wallet with a live crypto drainer kit. VT: 0/95 detections. ## Summary PhishDestroy identifies the domain trezoor-hardwhere-wellat-public.pages.dev as a high-risk crypto drainer scam impersonating Trezor hardware wallets. The threat is a malicious wallet-connect page designed to steal private keys or seed phrases during “device setup” workflows. The page loads Trezor-branded assets (CSS, logos) and intercepts clipboard connections to popular chains (Bitcoin, Ethereum) before exfiltrating funds to attacker-controlled addresses. This campaign is part of a surge in Cloudflare Pages-hosted drainers targeting Trezor users who search for recovery phrases or firmware downloads. Technical indicators confirm active abuse: VirusTotal retested at 0/95 detections on seed 7d033, showing zero sandbox flags despite dynamic JavaScript payloads. The domain is registered via Cloudflare, Inc. and resolves to a single IPv4 address (172.66.44.53) hosted on Cloudflare’s network. Google Trust Services issued the SSL certificate, giving a false sense of legitimacy. Historical passive DNS shows creation within the last 72 hours; no prior reputation exists on Google Safe Browsing, and third-party blocklists (Spamhaus, SURBL) currently count 0 entries. The drainer kit employs ETH, BSC and TRON chain simulators to trick victims into “testing” transactions that silently approve token transfers via malicious smart contract calls. The domain remains ACTIVE with risk MEDIUM-HIGH due to rapid propagation across social media and fake Trezor support channels. Trezor and Cloudflare have been notified via abuse channels, but takedown propagation can take up to 48 hours. Users who visited the link within the last 24 hours should revoke any connected wallet permissions immediately using revoke.cash or equivalent tools. PhishDestroy advises hardware wallet owners to only download software from official domains (trezor.io) and to NEVER enter seed phrases on web pages. Remaining risk is elevated while the campaign is live; install browser extensions that flag crypto drainer domains and verify every URL against PhishDestroy before clicking. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 172.66.44.53 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/trezoor-hardwhere-wellat-public.pages.dev - PhishDestroy: https://phishdestroy.io/domain/trezoor-hardwhere-wellat-public.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/trezoor-hardwhere-wellat-public.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/trezoor-hardwhere-wellat-public.pages.dev/ Last updated: 2026-04-03