# tronscanfox.pages.dev — SUSPICIOUS > PhishDestroy identifies tronscanfox.pages.dev as a crypto credential theft page impersonating TronScan with 0/95 VirusTotal detections. ## Summary PhishDestroy has flagged tronscanfox.pages.dev as an active crypto credential theft domain impersonating TronScan, the official blockchain explorer for the TRON network. This domain presents high risk due to its clear intent to deceive users into submitting sensitive wallet credentials, potentially enabling direct asset theft. The site mimics the legitimate interface of TronScan, leveraging visual and functional similarities to harvest private keys, seed phrases, or wallet passwords from unsuspecting users engaged in TRON-based transactions. Given the irreversible nature of blockchain transactions, the exposure of such credentials typically results in complete loss of funds with no recovery options. The active status of this domain indicates ongoing malicious campaigns, likely distributed via phishing emails, fake ads, or social media posts targeting TRON users. This domain was registered through Cloudflare, Inc., and resolves to IP address 188.114.97.3. It utilizes a Let's Encrypt SSL certificate to appear legitimate and avoid browser warnings. As of the latest assessment, the domain shows 0 detections out of 95 engines on VirusTotal, indicating it has not yet been widely blacklisted. The use of Cloudflare as a registrar and hosting provider adds complexity to takedown efforts, as Cloudflare often prioritizes uptime over immediate malicious content removal. The domain is hosted on Cloudflare's Pages platform, a legitimate service that has been abused to host phishing and malware distribution sites. No known blocklists currently flag this domain, and trust scores for the IP and domain remain low due to lack of historical reputation. Immediate mitigation is critical to prevent credential theft. Users should avoid accessing tronscanfox.pages.dev entirely and verify the correct domain (tronscan.io) before entering any TRON wallet credentials. Enable hardware wallet authentication where possible and never enter seed phrases or private keys on web forms. Report this domain to your antivirus vendor, browser provider, and platforms like PhishDestroy, Google Safe Browsing, or the TRON Foundation’s official security channels. If you have already entered credentials, revoke associated wallet access immediately and transfer remaining assets to a secure, air-gapped wallet. Monitor blockchain explorers for unauthorized transfers and report suspicious activity to TRON’s support team. Consider using dedicated browser profiles or extensions that block known phishing domains to reduce exposure to similar threats in the future. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 188.114.97.3 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/tronscanfox.pages.dev - PhishDestroy: https://phishdestroy.io/domain/tronscanfox.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/tronscanfox.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/tronscanfox.pages.dev/ Last updated: 2026-04-02