# PhishDestroy threat dossier — us-trexorsuite.pages.dev
================================================================

Fetched:   2026-04-23 18:34:29 UTC
Canonical: https://phishdestroy.io/domain/us-trexorsuite.pages.dev/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Trezor

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      5/94 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, alphaMountain.ai, CyRadar, Fortinet, Kaspersky

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      188.114.96.3 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     CloudFlare, Inc.
Registrar:       Cloudflare, Inc.
Nameservers:     kenneth.ns.cloudflare.com, rosalyn.ns.cloudflare.com
Registered:      2026-04-19
Page title:      Trezor Suite | Manage Your Crypto Securely
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WE1
Expires:    2026-07-07
Status:     INVALID chain
Fingerprint: a22076a1c7a5f418e7dcecfb2cd1933df71c6fc1530b29473a3a824e57072b5c

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-19 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-19 16:05:04 UTC (by PhishDestroy tracker)
Last verified:     2026-04-21 16:07:40 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019da5d6-bf13-777c-a113-1baee0276713/
Wayback Machine:  https://web.archive.org/web/*/us-trexorsuite.pages.dev
crt.sh CT logs:   https://crt.sh/?q=%25.us-trexorsuite.pages.dev
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=us-trexorsuite.pages.dev
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/us-trexorsuite.pages.dev
URLhaus:          https://urlhaus.abuse.ch/host/us-trexorsuite.pages.dev/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-19 16:06:03 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies us-trexorsuite.pages.dev as an active crypto wallet phishing kit masquerading as an official Trezor Suite interface. This fraudulent domain was flagged for impersonating a legitimate cryptocurrency service to steal wallet credentials and digital assets. The threat actor leverages Google Trust Services-validated SSL certificates and Cloudflare infrastructure to enhance credibility while remaining undetected by traditional antivirus engines. Users entering wallet recovery phrases on this fraudulent site risk permanent fund loss and identity theft.  Analysis of technical indicators reveals alarming details about this phishing campaign. VirusTotal scans show 0 out of 95 detection engines flagging this domain, despite its malicious intent. The site is registered through Cloudflare, Inc. and resolves to IP address 188.114.96.3, which shares infrastructure with numerous other crypto phishing operations. The PhishDestroy investigation seed 672f75 confirms this domain remains active and continues to evolve its evasion techniques. The absence of detection signatures suggests this phishing kit recently emerged, targeting users during a period when antivirus definitions have not yet been updated.  This threat represents an immediate danger to cryptocurrency holders, particularly those using hardware wallets. The phishing kit specifically mimics the Trezor wallet ecosystem, a popular hardware wallet provider, to trick users into entering their seed phrases or private keys. Upon visiting us-trexorsuite.pages.dev, users should immediately cease all interaction with the site and check their browser's address bar for telltale signs like 'pages.dev' domain or misspellings. Anyone who entered wallet recovery information on this site must transfer remaining funds to a new wallet immediately and consider their seed phrase compromised. For ongoing protection, users should bookmark official wallet URLs directly rather than relying on search results, enable two-factor authentication on all crypto accounts, and verify website authenticity through official channels before entering sensitive information.

## EVIDENCE HASHES
----------------------------------------------------------------
TLS cert SHA-256:      a22076a1c7a5f418e7dcecfb2cd1933df71c6fc1530b29473a3a824e57072b5c

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/us-trexorsuite.pages.dev/
JSON API:          https://api.destroy.tools/v1/check?domain=us-trexorsuite.pages.dev
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io