# PhishDestroy threat dossier — trezr-docs-io.pages.dev ================================================================ Fetched: 2026-04-23 10:10:38 UTC Canonical: https://phishdestroy.io/domain/trezr-docs-io.pages.dev/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: Trezor ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 13/94 security vendors flagged this domain Flagging vendors: ADMINUSLabs, BitDefender, CyRadar, Emsisoft, Fortinet, G-Data, Gridinsoft, Kaspersky, Lionic, Netcraft, OpenPhish, Sophos, Webroot ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.97.3 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: CloudFlare, Inc. Registrar: Cloudflare, Inc. Nameservers: carmelo.ns.cloudflare.com, melinda.ns.cloudflare.com Registered: 2026-04-06 Page title: Suspected phishing site | Cloudflare HTTP response: 403 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-07-05 Status: INVALID chain Fingerprint: 65c96775098de07dc21e9d9496a01fe7c260cda2fa7375c645a600ce67d88f72 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-06 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-06 16:34:49 UTC (by PhishDestroy tracker) Last verified: 2026-04-21 16:08:41 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019d62fd-0c81-76ae-b066-4446fb65a07f/ Wayback Machine: https://web.archive.org/web/*/trezr-docs-io.pages.dev crt.sh CT logs: https://crt.sh/?q=%25.trezr-docs-io.pages.dev Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=trezr-docs-io.pages.dev AlienVault OTX: https://otx.alienvault.com/indicator/domain/trezr-docs-io.pages.dev URLhaus: https://urlhaus.abuse.ch/host/trezr-docs-io.pages.dev/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-06 16:39:21 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies trezr-docs-io.pages.dev as a crypto wallet drainer impersonating Trezor documentation, leveraging a spoofed page under the guise of 'trezr docs' to deceive users into connecting wallet extensions. The threat actor’s infrastructure is designed to siphon cryptocurrency assets under the pretext of providing legitimate documentation or wallet integration guides. This domain appears to be part of a broader campaign targeting cryptocurrency enthusiasts seeking support or tools, with the malicious domain hosted on a compromised or attacker-controlled Cloudflare Pages instance to evade detection and maintain operational resilience. This domain was flagged as active with a generic phishing payload and is currently under investigation. VirusTotal flags it at 0/95 detections, indicating no AV or sandbox solution has flagged the payload at time of writing. The domain resolves to IP 188.114.97.3, hosted through Cloudflare, Inc., with a SSL certificate issued by Google Trust Services, which may lend an air of legitimacy to unsuspecting users. The domain is a subdomain under pages.dev, a legitimate domain used by Cloudflare Pages for static hosting, which is commonly abused by threat actors to host phishing kits and malicious landing pages. Further investigation is required to determine the exact drainer kit used, but given the context and naming convention, it is likely a pre-built JavaScript-based drainer targeting browser extensions such as MetaMask or WalletConnect integrations. The absence of detections on VirusTotal suggests the payload may be polymorphic or delivered via staged loading to evade signature-based detection. The current status of the domain is active and under active monitoring by PhishDestroy. No known takedown actions have been observed at this time, and the domain remains resolvable with active SSL encryption. Users are advised to avoid interacting with this domain or any linked content, especially if prompted to connect a wallet or input seed phrases. While the immediate risk is classified as 'under investigation', the lack of detection on VirusTotal and the domain's recent creation (not specified but inferred from the Cloudflare Pages setup) suggest a potentially emerging threat. PhishDestroy recommends users verify any domain purporting to offer cryptocurrency documentation or wallet integrations using its public lookup tool before engagement. Remaining risk is assessed as high due to the targeting of cryptocurrency users and the potential for silent asset drainage. Security teams and users are encouraged to report any interactions with this domain to PhishDestroy for further analysis and inclusion in automated blocklists. [Updates since narrative was generated:] - VirusTotal detections: now 13/94 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- TLS cert SHA-256: 65c96775098de07dc21e9d9496a01fe7c260cda2fa7375c645a600ce67d88f72 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/trezr-docs-io.pages.dev/ JSON API: https://api.destroy.tools/v1/check?domain=trezr-docs-io.pages.dev Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io