# xpm23.top — SUSPICIOUS

> xpm23.top is a fake WhatsApp credential theft domain active since March 2026, with 0/95 VirusTotal detections. Avoid this domain immediately.

## Summary
PhishDestroy identifies xpm23.top as a newly registered domain actively involved in generic phishing operations, specifically targeting WhatsApp users through credential theft campaigns. This domain was flagged on March 23, 2026, and currently remains undetected by security vendors, with VirusTotal showing 0 detections out of 95 scanners. The domain resolves to IP address 188.114.96.3, registered through NICENIC INTERNATIONAL GROUP CO., LIMITED using a Let's Encrypt SSL certificate to enhance legitimacy. The absence of blocklist entries despite its active status suggests this is an emerging threat requiring immediate attention from security teams and users alike.  Technical analysis reveals this domain employs deceptive tactics typical of credential theft operations, likely mimicking official WhatsApp login interfaces to harvest user credentials. The domain's recent creation date (March 23, 2026) indicates a hasty setup, while its low detection rate on VirusTotal suggests attackers are leveraging fresh infrastructure to evade early detection mechanisms. The use of a legitimate SSL certificate further compounds the risk by providing a false sense of security to potential victims. Security researchers should monitor this IP address (188.114.96.3) for additional malicious domains, as attackers often reuse infrastructure for multiple campaigns.  Users who have visited xpm23.top should immediately check their WhatsApp accounts for unauthorized access and enable two-factor authentication if not already configured. Change passwords for any accounts that may have been exposed during the visit, and avoid entering credentials on any unfamiliar domains. Report this domain to your IT security team or phishing reporting platforms to help contain the threat. Organizations should consider blocking this domain and IP address at the network level to prevent further access. Remain vigilant for phishing emails or messages referencing WhatsApp services, as attackers may combine domain-based threats with social engineering tactics for more effective credential harvesting.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2026-03-23 09:22:21
- Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED
- IP: 188.114.96.3

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/098a8df2-8d7d-4013-b68c-24cdd3e530cc
- PhishDestroy: https://phishdestroy.io/domain/xpm23.top/
- LLM endpoint: https://phishdestroy.io/domain/xpm23.top/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/xpm23.top/
Last updated: 2026-03-23