# www.koreexs.com — SUSPICIOUS

> Koreexs.com is a new credential theft domain mimicking Korean exchanges. VirusTotal shows 0/95 detections. Block it immediately.

## Summary
PhishDestroy identifies www.koreexs.com as an ACTIVE credential theft domain deployed to harvest user login credentials under the guise of a Korean exchange. This domain was flagged within 24 hours of creation, indicating a targeted, time-sensitive campaign aimed at tricking crypto traders into surrendering their exchange account credentials. The threat level is marked UNDER_INVESTIGATION due to rapidly evolving infrastructure and low AV coverage during the initial surge, but the presence of a Let’s Encrypt certificate and live resolution to Google Cloud IP 34.185.141.79 suggests operational sophistication and a high potential for successful compromise.  This domain was registered on March 16, 2026 through GMO Internet, Inc. and resolves to IP 34.185.141.79 hosted on Google Cloud. The SSL certificate is issued by Let’s Encrypt and currently shows 0 detections out of 95 engines on VirusTotal. Historical telemetry indicates no prior blocklist entries, while trust and reputation scores remain neutral-to-low due to the domain’s infancy. Despite the absence of AV flags, the combination of a fresh domain, rapid DNS propagation, and SSL coverage is characteristic of modern credential-phishing campaigns targeting crypto exchanges.  Mitigation must prioritize credential theft prevention. Users should immediately block www.koreexs.com at the DNS and firewall levels and avoid visiting the site under any circumstances. Exchange operators are advised to append the domain to phishing blocklists and hunt for inbound traffic to 34.185.141.79. If credentials were entered, users must rotate passwords, enable 2FA with hardware keys, and revoke any active API keys. Report the domain to the targeted exchange’s abuse desk and to PhishDestroy seed 5ddbe7 for accelerated takedown.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2026-03-16 14:12:17
- Registrar: GMO Internet, Inc.
- IP: 34.185.141.79

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/31f8a061-f489-4646-a409-9f0cce3c32bf
- PhishDestroy: https://phishdestroy.io/domain/www.koreexs.com/
- LLM endpoint: https://phishdestroy.io/domain/www.koreexs.com/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/www.koreexs.com/
Last updated: 2026-03-24