# PhishDestroy threat dossier — cdn-liveledgr-io.pages.dev
================================================================

Fetched:   2026-04-25 06:33:08 UTC
Canonical: https://phishdestroy.io/domain/cdn-liveledgr-io.pages.dev/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Ledger

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      6/94 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, CyRadar, Emsisoft, Fortinet, Netcraft, Webroot

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      172.66.47.156 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     Cloudflare, Inc.
Registrar:       Cloudflare, Inc.
Nameservers:     adelaide.ns.cloudflare.com, bill.ns.cloudflare.com
Registered:      2026-04-04
Page title:      Suspected phishing site | Cloudflare
HTTP response:   403

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WE1
Expires:    2026-07-03
Status:     INVALID chain
Fingerprint: ac0e2b43ca45291eb5e9e487175f0c6411e04de7b4ece5754795c37dd112afbe

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-04 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-04 15:50:10 UTC (by PhishDestroy tracker)
Last verified:     2026-04-21 16:04:37 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019d587b-d059-7089-9c23-1d632bf178d0/
Wayback Machine:  https://web.archive.org/web/*/cdn-liveledgr-io.pages.dev
crt.sh CT logs:   https://crt.sh/?q=%25.cdn-liveledgr-io.pages.dev
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=cdn-liveledgr-io.pages.dev
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/cdn-liveledgr-io.pages.dev
URLhaus:          https://urlhaus.abuse.ch/host/cdn-liveledgr-io.pages.dev/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-04 15:54:52 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies the active crypto drainer domain cdn-liveledgr-io.pages.dev using a spoofed Ledger interface to steal cryptocurrency assets. This Pages.dev subdomain hosts a malicious drainer kit disguised as a ‘live’ Ledger CDN endpoint, specifically engineered to intercept wallet connections and authorize unauthorized transfers. The infrastructure is configured to mimic legitimate CDN assets, leveraging the Pages.dev platform to evade traditional email filtering while maintaining a convincing HTTPS origin via Google Trust Services certificates. The domain’s naming convention ‘liveledgr’ is a deliberate typosquat of ‘Live Ledger,’ aiming to capitalize on brand confusion among users seeking official firmware or software updates.  This domain exhibits several red flags confirmed by PhishDestroy’s forensic analysis. VirusTotal currently flags this URL with 0 detections out of 95 engines, indicating zero coverage in major threat intelligence feeds as of assessment time. The domain is registered through Cloudflare, Inc., a common choice for threat actors due to its masking of underlying registrant data via proxy services. The domain resolves to the IP address 172.66.47.156, a Cloudflare-operated edge node shared across multiple legitimate and malicious sites. The SSL certificate is issued by Google Trust Services under the *.pages.dev wildcard, which is standard for Pages.dev domains and does not inherently indicate malicious intent. At this time, PhishDestroy has not observed this domain on any public blocklists or threat feeds, underscoring its novelty and the need for proactive user education.  As of Seed 223965, cdn-liveledgr-io.pages.dev remains active and unblocked by mainstream defenses. PhishDestroy has flagged this domain as a high-priority threat due to its active drainer functionality and impersonation of a trusted hardware wallet brand. Users are advised to avoid accessing this domain and verify any Ledger-related links via the official ledger.com domain only. The domain poses a severe risk to users who interact with wallet interfaces served from untrusted CDN endpoints, particularly those involving cryptocurrency transactions. Remaining risk is assessed as elevated given the lack of detection coverage and the domain’s use of reputable infrastructure to host malicious content. Ongoing monitoring for related infrastructure expansion and additional domains is in progress.

## EVIDENCE HASHES
----------------------------------------------------------------
TLS cert SHA-256:      ac0e2b43ca45291eb5e9e487175f0c6411e04de7b4ece5754795c37dd112afbe

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/cdn-liveledgr-io.pages.dev/
JSON API:          https://api.destroy.tools/v1/check?domain=cdn-liveledgr-io.pages.dev
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io