Rixav.sbs: A Crypto Wallet Phishing Site

This investigation focused on the domain rixav.sbs following concerns about its legitimacy and initial access anomalies. Analysis of the site's structure, behavior, and external reputation data indicates it is a high-risk platform with clear indicators of malicious intent. The domain is newly registered with no verifiable history or trust signals. Multiple security intelligence sources flag it with critically low trust scores. Upon visiting the site, users are immediately presented with a wallet connection interface that progressively funnels them toward disclosing sensitive credentials, specifically crypto wallet recovery phrases and private keys. The platform's design, user flow, and technical setup are consistent with Web3 phishing infrastructure. Assessed risk level: High. Any user who interacted with this site and entered wallet credentials should treat those credentials as compromised.

The website rixav.sbs operates as a Web3 wallet phishing site, specifically targeting cryptocurrency users by impersonating a legitimate wallet recovery or RPC connection service. The attack flow follows a well-documented pattern. Users land on the site under the impression they're resolving a wallet issue, are prompted to select their wallet provider, encounter a staged "connection failure," and are then pushed to manually enter their recovery phrase or private key to "verify" the account. This isn't a bug in the flow, it's the mechanism. The connection failure is deliberate; the credential input is the goal. Branding elements like "RPC Recovery Hub," polished loading animations, and professional-looking wallet selector screens are present specifically to manufacture credibility. There is no actual service here. The entire interface exists to extract seed phrases.

The findings span three categories: technical indicators, behavioral patterns, and external intelligence. On the technical side, the domain is newly registered, a consistent trait in short-lived phishing campaigns designed to operate briefly before being flagged and abandoned. The site routes through Cloudflare, which obscures backend hosting details and complicates attribution. While Cloudflare is used by legitimate sites, it's a standard layer in phishing infrastructure for exactly this reason. Behaviorally, the site's UX is engineered around escalating pressure. The wallet connection interface loads immediately with no context or onboarding. Repeated connection prompts, loading states, and staged failures create urgency and confusion, conditions under which users are more likely to comply with unusual requests like entering a recovery phrase. This staged flow is a hallmark of credential harvesting operations. External intelligence corroborates the on-site findings. Security platforms independently flag rixav.sbs as a phishing domain with trust scores in the critical range. Taken together, a new domain, Cloudflare-masked infrastructure, credential-harvesting UX, and third-party threat flagging all consistently point to a purpose-built phishing site, not a malfunctioning legitimate service.

| Domain | rixav[.]sbs | Confirmed | | URL | hxxps://rixav[.]sbs/sync | Confirmed | | IP Address | 172[.]67[.]134[.]99 | Confirmed |

• Do not interact further with rixav.sbs using real accounts, wallets, or credentials
• Any wallet credentials, especially recovery phrases, entered on the site should be considered compromised. Migrate assets immediately if applicable
• All further investigation should be conducted in a sandboxed or isolated environment with burner accounts only
• Submit the domain to security platforms (VirusTotal, PhishTank, Google Safe Browsing) for broader flagging.
• Watch for domain variants and typosquats that may be part of the same campaign infrastructure