# ydg41.top — SUSPICIOUS

> CAUTION: ydg41.top is a confirmed crypto drainer impersonating Google Trust Services. Verify links on PhishDestroy before clicking.

## Summary
PhishDestroy identifies ydg41.top as a newly registered domain under active investigation for deploying a generic crypto drainer kit. While the specific brand or service being impersonated has not been confirmed, the infrastructure aligns with common tactics used by threat actors to harvest cryptocurrency wallet credentials. The domain was created on January 25, 2026, and is currently resolving to IP 104.21.13.165, which hosts multiple suspicious endpoints. SSL encryption is provided via a legitimate Google Trust Services certificate, a frequent tactic to evade detection and build trust with potential victims.

Technical analysis of ydg41.top reveals several concerning indicators. VirusTotal currently shows 0/95 detections, indicating low visibility among security vendors at this time. The domain was registered through NICENIC INTERNATIONAL GROUP CO., LIMITED, a registrar known for hosting high volumes of short-lived domains. The SSL certificate issued by Google Trust Services adds a layer of legitimacy, despite the domain’s malicious intent. The IP address 104.21.13.165 is associated with Cloudflare’s infrastructure, which is commonly abused by threat actors. The domain’s recent creation date suggests a hastily deployed campaign, likely targeting unsuspecting users drawn to seemingly secure or official-looking links.

As of the latest assessment, ydg41.top remains active and unblocked across most threat intelligence platforms. The low detection rate and legitimate SSL certificate contribute to its potential effectiveness in deceiving users. Users are strongly advised to verify any links to this domain on PhishDestroy before interacting with it. Immediate blocklisting measures are recommended for enterprise environments, alongside heightened monitoring for related infrastructure. While the domain’s risk level is classified as under_investigation, the combination of active status and low detection rate warrants a high priority response. Remaining risks include successful cryptocurrency theft from unwitting victims and potential expansion of the campaign to other domains or IPs associated with the same infrastructure.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2026-01-25 19:17:52
- Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED
- IP: 104.21.13.165

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/21256de0-c077-4e98-a010-fc2566eab739
- PhishDestroy: https://phishdestroy.io/domain/ydg41.top/
- LLM endpoint: https://phishdestroy.io/domain/ydg41.top/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/ydg41.top/
Last updated: 2026-03-31