# trnlnksfds89.brigitta0.workers.dev — SUSPICIOUS

> trnlnksfds89.brigitta0.workers.dev operates as a crypto drainer phishing site with zero detection on VirusTotal.

## Summary
PhishDestroy identifies trnlnksfds89.brigitta0.workers.dev as a live crypto drainer phishing domain, actively targeting cryptocurrency users. This domain employs an automated script designed to empty victim wallets upon wallet connection, posing an imminent financial risk to unsuspecting users. The operational infrastructure leverages Cloudflare Workers to host the malicious payload, ensuring rapid deployment and evasion of traditional blocklists. Security teams are urged to treat this domain as an active threat and implement immediate countermeasures.  This domain resolves to the IP address 104.21.46.198 and operates under a valid Let's Encrypt SSL certificate, enhancing its credibility. Despite zero detections on VirusTotal (0/95), the absence of flags does not indicate safety; rather, it reflects the domain's recency and sophisticated evasion techniques. Registered through Cloudflare, Inc., this domain was likely created to exploit the trusted reputation of Workers.dev subdomains. The domain remains unlisted on major threat intelligence platforms, increasing the likelihood of successful victim compromise.  Users who have interacted with this domain should immediately revoke wallet connections and transfer remaining funds to a cold storage wallet. Scan all connected devices for malware, as crypto drainers often deploy additional payloads. Report the domain to PhishDestroy for analysis and consider updating firewall rules to block both the domain and associated IP address. Remain vigilant for similar domains leveraging Workers.dev subdomains, as threat actors frequently rotate infrastructure to evade detection. Proactive monitoring and user education are critical to mitigating risks associated with crypto drainer phishing campaigns.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 104.21.46.198

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/2237197b-deed-444a-8f9a-71f37772c2a5
- PhishDestroy: https://phishdestroy.io/domain/trnlnksfds89.brigitta0.workers.dev/
- LLM endpoint: https://phishdestroy.io/domain/trnlnksfds89.brigitta0.workers.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/trnlnksfds89.brigitta0.workers.dev/
Last updated: 2026-03-30