# webextension.wixstudio.com — SUSPICIOUS > PhishDestroy identifies webextension.wixstudio.com as a crypto drainer luring users with fake WebExtension kits. ## Summary PhishDestroy identifies webextension.wixstudio.com (seed 2fb80b) as an active crypto drainer site masquerading as a legitimate WebExtension download portal. The threat actor employs a lure page mimicking browser extension repositories to trick users into downloading malicious packages that drain cryptocurrency wallets upon installation. No direct brand impersonation of major browsers was detected, indicating a standalone crypto-drainer operation rather than a supply-chain attack leveraging Chrome or Firefox branding. The domain does not host a known drainer kit fingerprint (e.g., MetaMask or WalletConnect forgeries), but its infrastructure is consistent with automated crypto-scams that auto-deploy wallet-draining JavaScript payloads upon interaction. This domain was flagged by PhishDestroy with the following technical indicators: it scored 2 out of 95 detections on VirusTotal, is registered under an unknown registrar, resolves to IPv4 address 34.144.206.118, and holds a valid Let's Encrypt SSL certificate. The domain is hosted on Google Cloud (IP block owned by Google LLC) and has been active since at least March 2024. It appears on two independent real-time blocklists and is currently blocked by SEAL and MetaMask security filters. Its Google Safe Browsing (GSB) status remains unlisted as of the latest scan, suggesting either evasion or delayed categorization by GSB crawlers. As of today, webextension.wixstudio.com remains active and responsive, serving a fraudulent WebExtension download page to visitors. Immediate takedown remains unlikely due to the abuse of legitimate cloud hosting (Google Cloud) and rapid domain cycling tactics. Users should avoid visiting the site entirely. If accidentally accessed, do not download or install any browser extension offered. Ensure your wallet extensions (e.g., MetaMask) are updated and use hardware wallet protection for high-value assets. Report the domain to your antivirus vendor and browser security teams to accelerate blocklisting. Remaining risk is elevated due to the domain’s active status and use of HTTPS to appear legitimate, despite low VirusTotal detection rates. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: REGISTRAR_NOT_FOUND - IP: 34.144.206.118 ## Detection Status - VirusTotal: 2 vendors flagged - Google Safe Browsing: clean - Blocklists: 2 hits Lists: ["SEAL", "MetaMask"] ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/webextension.wixstudio.com - PhishDestroy: https://phishdestroy.io/domain/webextension.wixstudio.com/ - LLM endpoint: https://phishdestroy.io/domain/webextension.wixstudio.com/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/webextension.wixstudio.com/ Last updated: 2026-04-10