# whatmsp.pages.dev — SUSPICIOUS

> whatmsp.pages.dev is a crypto drainer phishing site with 0/95 VirusTotal detections, targeting crypto users. Avoid visiting immediately.

## Summary
PhishDestroy identifies whatmsp.pages.dev as an active crypto drainer phishing domain under investigation for credential theft and cryptocurrency fund misappropriation. This subdomain, hosted on Cloudflare's infrastructure (IP 172.66.46.237), utilizes a Google Trust Services SSL certificate to simulate legitimacy. The domain is designed to mimic legitimate crypto service interfaces to trick users into connecting their wallets or entering credentials, facilitating direct cryptocurrency theft.  This domain has not yet been flagged by VirusTotal, showing 0 detections out of 95 scans as of the latest check. It resolves through Cloudflare, Inc., a common tactic among malicious actors to obscure hosting origins and evade takedowns. While the exact registration date is not provided, the use of a Cloudflare-issued SSL certificate (Google Trust Services) suggests recent deployment, as these certificates are frequently used in short-lived phishing campaigns. The lack of blocklist entries indicates it is still in early propagation phases, but this status may change rapidly as threat intelligence networks update.  If you visited whatmsp.pages.dev, immediately disconnect your wallet or revoked any connected permissions. Scan your device with updated antivirus software, audit browser extensions for unauthorized access, and consider rotating cryptocurrency wallet credentials. Report the domain to your cybersecurity team or via platforms like Google Safe Browsing and VirusTotal to aid in its identification and removal.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.46.237

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/dec82a93-f1dc-48f2-84ed-6255cfc43068
- PhishDestroy: https://phishdestroy.io/domain/whatmsp.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/whatmsp.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/whatmsp.pages.dev/
Last updated: 2026-03-26