# xpa9.top — SUSPICIOUS

> Security alert: xpa9.top is a crypto drainer scam hosting a fake login page. VirusTotal flags 0/95 detections.

## Summary
PhishDestroy identifies xpa9.top as an active crypto drainer scam designed to steal cryptocurrency from unwary users. This domain hosts deceptive login pages that impersonate legitimate crypto platforms, tricking victims into connecting their wallets or entering credentials that are immediately drained by attackers. The site leverages social engineering tactics, often distributed through fraudulent links in phishing emails or malicious ads, to lure users into a false sense of security before executing unauthorized transactions. 

This domain was flagged with 0 detections out of 95 engines on VirusTotal, indicating it remains largely undetected by mainstream antivirus solutions. It resolves to IP address 172.67.170.207 and was registered through NICENIC INTERNATIONAL GROUP CO., LIMITED. The domain was created on April 09, 2026, and currently operates under a Let’s Encrypt SSL certificate to appear legitimate. Despite its low detection rate, the domain’s recent creation date and lack of blocklist coverage make it a high-risk threat to cryptocurrency users. 

Users who visited xpa9.top should immediately disconnect any connected crypto wallets, revoke permissions for any unauthorized transactions, and scan their devices for malware. Do not enter any credentials or connect wallets to this domain. If you suspect your crypto assets are compromised, report the incident to your wallet provider and local authorities. Verify the safety of domains using PhishDestroy’s updated threat database to avoid falling victim to similar scams.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2026-04-09 10:48:22
- Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED
- IP: 172.67.170.207

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/a229b0bc-2313-49e5-af6e-f898d9651935
- PhishDestroy: https://phishdestroy.io/domain/xpa9.top/
- LLM endpoint: https://phishdestroy.io/domain/xpa9.top/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/xpa9.top/
Last updated: 2026-04-11