# zerion-scan.web.app — SUSPICIOUS > zerion-scan.web.app impersonates Zerion to steal crypto via a fake scanner page. Blocked by MetaMask & SEAL; VirusTotal flags 3/95 vendors. ## Summary PhishDestroy identifies zerion-scan.web.app as an active brand-impersonation phishing domain targeting Zerion users. The site delivers a malicious JavaScript drainer kit disguised as a wallet-scanning tool, coercing victims into connecting wallets and authorizing fraudulent transactions. The kit mimics Zerion’s UI and branding, redirecting traffic from lookalike domains or spoofed ads to harvest private keys, seed phrases, and transaction approvals. At least one open-source drainer script (seed c3eea1) has been observed in live campaigns, increasing the risk of irreversible asset loss once wallet signatures are obtained. This domain was flagged by two independent security blocklists and is currently blocked by MetaMask and SEAL at the browser extension level. Technical indicators include a VirusTotal detection score of 3/95 security vendors, registration through Google LLC, and resolution to IP 199.36.158.100. The domain uses a Google Trust Services SSL certificate, indicating recent issuance and low-cost domain acquisition. While the creation date is not publicly disclosed, the combination of active SSL issuance, drainer kit deployment, and blocklist presence suggests a newly stood-up phishing operation rather than a long-established threat. As of the latest scan, zerion-scan.web.app remains active and unblocked by several regional DNS resolvers, presenting an elevated risk to Zerion users searching for legitimate tools. PhishDestroy recommends blocking the domain at the network perimeter and discontinuing any usage of web.app subdomains linked to wallet scanning. Users who may have interacted with this domain should immediately revoke any wallet connections via Zerion’s official app, transfer remaining assets to a cold wallet, and monitor for unauthorized transactions. The remaining risk is heightened due to the domain’s recent activation and partial detection evasion, necessitating continuous monitoring and proactive user education to prevent further compromise. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) - Target brand: Zerion ## Domain Intelligence - Registrar: Google LLC - IP: 199.36.158.100 ## Detection Status - VirusTotal: 3 vendors flagged - Google Safe Browsing: clean - Blocklists: 2 hits Lists: ["MetaMask", "SEAL"] ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/zerion-scan.web.app - PhishDestroy: https://phishdestroy.io/domain/zerion-scan.web.app/ - LLM endpoint: https://phishdestroy.io/domain/zerion-scan.web.app/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/zerion-scan.web.app/ Last updated: 2026-04-08