# txnodemicermode.pages.dev — SUSPICIOUS

> txnodemicermode.pages.dev targets crypto wallet users with fake 'txnodeme' phishing scams. Check the full report.

## Summary
PhishDestroy identifies txnodemicermode.pages.dev as an active crypto wallet phishing site with elevated risk. This domain impersonates Polkadot-related services to steal wallet credentials and funds.

This domain was flagged with a Google Trust Services SSL certificate, registered via Cloudflare, and resolves to IP 172.66.47.82. VirusTotal shows 0/95 detections despite 4 blocklists including Polkadot, Codeesura, Enkrypt, and OISD. Google Safe Browsing labels it SOCIAL_ENGINEERING. The site exploits .pages.dev subdomains to appear legitimate while distributing malware or harvesting private keys.

Immediate mitigation is required: block the domain at DNS/network level, investigate network traffic for connections to 172.66.47.82, and warn users about Polkadot/Wallet phishing lures. Rotate exposed wallet keys and enable 2FA. Monitor for typosquats of 'txnodeme' or 'Polkadot' domains.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.47.82

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: FLAGGED
- Blocklists: 4 hits
  Lists: ["Polkadot", "Codeesura", "Enkrypt", "OISD"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/33f572f9-1f27-43a0-bf3f-642e817a7b99
- PhishDestroy: https://phishdestroy.io/domain/txnodemicermode.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/txnodemicermode.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/txnodemicermode.pages.dev/
Last updated: 2026-03-22