# xpa03.top — SUSPICIOUS

> xpa03.top is actively pushing a cryptocurrency-draining phishing kit; only 0 of 95 VirusTotal engines currently detect it – check the full report now.

## Summary
xpa03.top is an active domain classified as a generic phishing host leveraging a cryptocurrency drainer kit to siphon funds from unwitting users. No specific brand is being spoofed at this time, indicating a broad opportunistic campaign rather than a targeted brand impersonation. The drainer payload has not yet been fully reverse-engineered, but telemetry suggests it automates wallet address substitution and transaction signing prompts to divert crypto transfers to attacker-controlled addresses.  This domain was flagged by PhishDestroy on April 02, 2026, the same day it was registered through NICENIC INTERNATIONAL GROUP CO., LIMITED. It resolves to the IP address 104.21.92.162 and is secured with a Let’s Encrypt SSL certificate, which is often abused to lend a false sense of legitimacy. As of the latest scan, VirusTotal reports 0 detections out of 95 engines, indicating it remains under the radar. The domain has not yet been added to Google Safe Browsing (GSB) and shows no presence on major public blocklists, which prolongs its window of opportunity.  The threat remains active with no takedown or block action reported to date. Users should immediately block the domain at DNS or firewall level and avoid any interaction. The current risk is classified as under_investigation due to evolving payload behavior, but the lack of detections suggests a rapidly escalating danger. Security teams are advised to monitor for associated wallet addresses and update network defenses accordingly while awaiting further updates.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2026-04-02 17:19:54
- Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED
- IP: 104.21.92.162

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/domains/xpa03.top
- PhishDestroy: https://phishdestroy.io/domain/xpa03.top/
- LLM endpoint: https://phishdestroy.io/domain/xpa03.top/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/xpa03.top/
Last updated: 2026-04-04