# walletexo-us.pages.dev — MALICIOUS > PhishDestroy identifies walletexo-us.pages.dev as an active crypto drainer impersonating WalletExo. VirusTotal flags 8/95 vendors. Verify URLs before clicking. ## Summary PhishDestroy identifies walletexo-us.pages.dev as an active crypto drainer actively stealing cryptocurrency from unsuspecting users. This domain leverages a deceptive 'walletexo-us' naming convention to impersonate the legitimate WalletExo platform, luring victims into connecting their digital wallets under the guise of legitimate transactions or account verification. Once accessed, the page executes malicious JavaScript designed to drain connected wallets by automatically approving and executing unauthorized token transfers to attacker-controlled addresses. The domain’s infrastructure is hosted on Cloudflare Pages, using Google Trust Services for SSL encryption to appear legitimate, while resolving to IP address 172.66.47.81, a known hosting node associated with malicious web activity. This domain was flagged by 8 out of 95 security vendors on VirusTotal, indicating elevated risk but not yet fully contained. Registered through Cloudflare, Inc., it operates under a pages.dev subdomain, a common tactic used by threat actors to rapidly deploy fraudulent pages with minimal traceability. The combination of a high-risk classification, partial blocklist presence, and use of a reputable hosting service underscores the sophistication and adaptability of this threat actor. Given the domain’s active status and the specific targeting of cryptocurrency users, the risk of financial loss is significant and immediate. If you have visited walletexo-us.pages.dev or entered any wallet credentials or connected a wallet, disconnect your device from the internet immediately and revoke any unauthorized token approvals using tools such as revoke.cash or Etherscan’s token approval checker. Do not interact further with the domain. Report the incident to PhishDestroy for verification and blocklist inclusion. Always verify URLs manually, use hardware wallets for storage, and enable transaction alerts to detect suspicious activity early. Stay vigilant—legitimate crypto platforms will never ask you to connect your wallet via a third-party subdomain. ## Threat Details - Verdict: MALICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 172.66.47.81 ## Detection Status - VirusTotal: 8 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/33d52d0d-f7c9-45b3-a655-258696373fa0 - PhishDestroy: https://phishdestroy.io/domain/walletexo-us.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/walletexo-us.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/walletexo-us.pages.dev/ Last updated: 2026-03-23