# PhishDestroy threat dossier — crypto-ledger-management.com ================================================================ Fetched: 2026-07-04 03:43:08 UTC Canonical: https://phishdestroy.io/domain/crypto-ledger-management.com/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 99/100 (PhishDestroy scoring — see methodology below) Targeted brand: Ledger Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 2/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 2/91 security vendors flagged this domain Flagging vendors: Gridinsoft, SOCRadar URLQuery: 2 detections Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.96.3 (US, San Francisco) Hosting org: AS13335 Cloudflare, Inc. Registrar: Hello Internet Corp Nameservers: olga.ns.cloudflare.com, ruben.ns.cloudflare.com Registered: 2026-02-10 Expires: 2027-02-10 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-02-10 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-02 15:33:27 UTC (by PhishDestroy tracker) First reported: 2026-07-02 13:45:11 UTC (abuse notice filed) Last verified: 2026-07-04 05:16:54 UTC Neutralised: 2026-07-02 15:34:06 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f2308-146b-75f4-b4e8-4ca7d00f64b1/ URLQuery: https://urlquery.net/report/b131f39d-172d-4002-93ed-5519d64fa170 Wayback Machine: https://web.archive.org/web/*/crypto-ledger-management.com crt.sh CT logs: https://crt.sh/?q=%25.crypto-ledger-management.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=crypto-ledger-management.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/crypto-ledger-management.com URLhaus: https://urlhaus.abuse.ch/host/crypto-ledger-management.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-02 15:37:08 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, crypto-ledger-management.com, is under active investigation for its association with a crypto drainer threat. Crypto drainers are malicious tools designed to siphon cryptocurrency from victims' wallets by exploiting deceptive transactions or compromised wallet connections. Analysis of the domain reveals no direct brand impersonation, but its infrastructure aligns with known drainer kit deployment patterns, particularly those targeting decentralized finance (DeFi) platforms. The domain does not appear to mimic a specific legitimate service, suggesting a broader, opportunistic attack vector rather than a targeted impersonation campaign. Infrastructure analysis reveals the following technical indicators: the domain has a VirusTotal detection score of 0/95, indicating no antivirus engines have flagged it as malicious at the time of assessment. It was registered through Hello Internet Corp on February 10, 2026, and resolves to the IP address 188.114.96.3. The domain's SSL certificate is issued by Let's Encrypt, a common practice among both legitimate and malicious sites to enable HTTPS connections. Google Safe Browsing (GSB) status is not provided, but the domain is not currently listed on major blocklists, further contributing to its low initial detection profile. The creation date, set in the future (2026), is atypical and may indicate an attempt to evade temporal-based detection mechanisms or a placeholder for a planned campaign. The domain is currently offline, which may suggest takedown actions or a temporary suspension by the registrar or hosting provider. However, the absence of prior detections and the use of a future creation date introduce residual risk, as the domain could be reactivated or repurposed for similar malicious activity. Users who interacted with this domain should immediately revoke any wallet permissions granted during potential exposure and monitor their cryptocurrency transactions for unauthorized transfers. Organizations should consider proactively blocking the domain and its associated IP address (188.114.96.3) in network security controls to prevent future access. Given the domain's low detection profile and atypical registration details, continued monitoring is recommended to assess any resurgence in activity. [Updates since narrative was generated:] - WHOIS creation date: 2026-02-10 - Public blocklists: now listed on 3 feeds - VirusTotal detections: now 2/91 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260702-DC9D9F Favicon MD5: 5e7e616dc943d23075771a3df24210dc ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/crypto-ledger-management.com/ JSON API: https://api.destroy.tools/v1/check?domain=crypto-ledger-management.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,417 domains (12,388 alive under monitoring, 161,211 confirmed takedowns/dead). Site: https://phishdestroy.io