# ydnaz.ksa9noa1-sdoqd.com — MALICIOUS > ydnaz.ksa9noa1-sdoqd.com is a crypto drainer phishing domain flagged by 6/95 VirusTotal vendors as malicious. ## Summary PhishDestroy identifies ydnaz.ksa9noa1-sdoqd.com as an active crypto drainer phishing domain deployed to steal cryptocurrency wallet credentials and assets. The domain mimics legitimate services to deceive users into connecting malicious wallet connections, executing unauthorized transfers, or harvesting private keys. No specific brand impersonation was detected in this campaign; instead, the threat actor leverages obfuscated subdomains and randomized strings to evade detection and bypass URL filtering systems. The infrastructure shows signs of automation, with the domain likely generated via a seed-based algorithm to rapidly deploy new attack vectors. This domain is part of a broader trend of crypto drainer campaigns targeting users through social media, fake giveaways, and compromised advertisements. Technical analysis reveals ydnaz.ksa9noa1-sdoqd.com resolves to IP address 103.250.7.203, hosted on infrastructure linked to malicious cryptocurrency theft operations. The domain was registered on March 24, 2026, through GoDaddy.com, LLC, indicating a very recent creation consistent with fast-flux tactics. The SSL certificate issued by Sectigo Limited provides a false sense of security, as threat actors often abuse legitimate CAs to encrypt malicious traffic. VirusTotal shows 6 out of 95 security vendors flagged this domain as malicious, with detections including crypto-drainer, phishing, and malware distribution signatures. Google Safe Browsing (GSB) has not yet blacklisted the domain, and public blocklist aggregators report minimal prior detections. The combination of fresh registration, low detection coverage, and cryptocurrency targeting elevates the threat level to elevated, with potential for rapid escalation. As of current analysis, ydnaz.ksa9noa1-sdoqd.com remains active and unblocked by major browsers and security platforms. Immediate remediation includes adding the domain and IP (103.250.7.203) to network and endpoint blocklists. Users should avoid accessing the domain and treat any wallet connection prompts originating from it as highly suspicious. Security teams are advised to monitor for similar patterns in DNS queries and SSL certificates, particularly those using Sectigo-issued certificates in combination with crypto-related TLDs. While the domain’s recent registration limits historical threat intelligence, the behavioral pattern aligns with high-risk crypto drainer operations. Proactive blocking and user education on crypto wallet security remain critical to mitigating exposure. Remaining risk is elevated due to low detection coverage and ongoing activity. ## Threat Details - Verdict: MALICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registered: 2026-03-24 14:30:35 - Registrar: GoDaddy.com, LLC - IP: 103.250.7.203 ## Detection Status - VirusTotal: 6 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/c9697c7e-3637-4e43-8e9b-4c57b95a1eb1 - PhishDestroy: https://phishdestroy.io/domain/ydnaz.ksa9noa1-sdoqd.com/ - LLM endpoint: https://phishdestroy.io/domain/ydnaz.ksa9noa1-sdoqd.com/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/ydnaz.ksa9noa1-sdoqd.com/ Last updated: 2026-03-30