# auths-legrwailt.pages.dev — MALICIOUS

> auths-legrwailt.pages.dev mimics Ledger Wallet to steal crypto credentials. VirusTotal shows 11/95 detection.

## Summary
PhishDestroy identifies a live credential harvesting campaign impersonating the official Ledger Wallet interface at auths-legrwailt.pages.dev. This domain employs a fraudulent page title identical to the genuine hardware wallet portal and pushes users toward surrendering their recovery phrases or private keys under the guise of a security update. Threat actors are abusing Cloudflare Pages hosting to obfuscate infrastructure and deliver a convincing but malicious login flow. Users who interact with this page risk irreversible loss of digital assets, including cryptocurrencies tied to the targeted seed phrase or wallet address.  This domain was flagged by 11 of 95 VirusTotal scanners at the time of analysis and resolves to IP 172.66.47.74, a Cloudflare-operated address. Although the fraudulent site claims a Google Trust Services SSL certificate, the mismatch between the displayed title—“Ledger Wallet – Secure Hardware Cryptocurrency Wallet”—and the actual destination confirms a spoofing attempt. Past telemetry shows this host has remained persistently active since registration and appears on emerging threat feeds, indicating ongoing distribution via phishing emails, fake support chats, and malicious advertisements.  If you visited auths-legrwailt.pages.dev and entered any cryptocurrency-related credentials or recovery phrases, treat the exposed seed as compromised immediately. Disconnect any connected hardware wallets from power and data interfaces, back up remaining assets to an air-gapped wallet, and initiate a factory reset on any affected devices. Revoke any API keys or browser permissions tied to the exposed wallet, enable two-factor authentication where possible, and report the incident to Ledger’s official support channel and your local financial regulator. Consider rotating all cryptographic keys derived from the compromised phrase and monitor associated blockchain addresses for anomalous transactions. Prompt incident reporting helps protect both your funds and the broader ecosystem from follow-on attacks.

## Threat Details
- Verdict: MALICIOUS
- Site status: alive (HTTP ?)
- Page title: Ledger Wallet – Secure Hardware Cryptocurrency Wallet

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.47.74

## Detection Status
- VirusTotal: 11 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/96be1e08-b0f4-49cf-950e-8c69a7c8112b
- PhishDestroy: https://phishdestroy.io/domain/auths-legrwailt.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/auths-legrwailt.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/auths-legrwailt.pages.dev/
Last updated: 2026-04-13