# PhishDestroy threat dossier — desktop-ledgjrr.pages.dev
================================================================

Fetched:   2026-04-30 18:47:01 UTC
Canonical: https://phishdestroy.io/domain/desktop-ledgjrr.pages.dev/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Ledger

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      11/91 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, CyRadar, Forcepoint ThreatSeeker, Fortinet, G-Data, Kaspersky, LevelBlue, Lionic, Sophos

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      188.114.96.3 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     CloudFlare, Inc.
Registrar:       Cloudflare, Inc.
Nameservers:     cory.ns.cloudflare.com, marlowe.ns.cloudflare.com
Registered:      2026-04-27
Page title:      Ledger Live Desktop — The Definitive Hub for Secure Crypto Management and Digital Asset Portfolio Control
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WE1
Expires:    2026-07-19
Status:     INVALID chain
Fingerprint: 19648d349abeaaf2030ac219f28f6d6fb8b795941441ed92e9cd0a0e8786f79d

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-27 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-27 06:20:09 UTC (by PhishDestroy tracker)
Last verified:     2026-04-29 07:40:12 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019dccf2-74a7-7599-b618-a847318256d2/
Wayback Machine:  https://web.archive.org/web/*/desktop-ledgjrr.pages.dev
crt.sh CT logs:   https://crt.sh/?q=%25.desktop-ledgjrr.pages.dev
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=desktop-ledgjrr.pages.dev
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/desktop-ledgjrr.pages.dev
URLhaus:          https://urlhaus.abuse.ch/host/desktop-ledgjrr.pages.dev/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-27 06:20:50 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

The domain desktop-ledgjrr.pages.dev is currently under active investigation due to its association with a generic phishing campaign. PhishDestroy identifies this as a high-risk crypto drainer threat, designed to steal cryptocurrency wallet credentials or initiate unauthorized transactions under the guise of legitimate service. The threat type involves credential theft targeting unsuspecting users, where victims may input sensitive wallet recovery phrases or private keys, leading to immediate fund loss. This domain is not yet flagged on mainstream blocklists but exhibits clear malicious intent through its active phishing infrastructure. Action is strongly advised to prevent exposure.

All available technical indicators corroborate this assessment. The domain was registered through Cloudflare, Inc., which does not inherently imply legitimacy due to widespread abuse of free subdomain services by threat actors. It resolves to IP 188.114.96.3, a Cloudflare IP associated with dynamic content delivery networks commonly exploited in phishing operations. According to VirusTotal, the domain has 0 detections out of 95 scanners (as of seed 566d4c), indicating evasion of current signature-based detection mechanisms. The domain operates under an SSL certificate issued by Google Trust Services, which is standard for Cloudflare-hosted sites but does not validate the domain's trustworthiness. While no public blocklist records were identified in this analysis, the absence of detections should not be interpreted as safety; new domains with no reputation history are frequently weaponized within hours of registration.

To mitigate risk, users must avoid interacting with desktop-ledgjrr.pages.dev entirely. Never input wallet private keys, seed phrases, or authentication credentials on any page hosted here. If accidental exposure occurs, immediately revoke compromised wallet permissions via blockchain explorers or official wallet interfaces and transfer remaining funds to a newly generated cold wallet. Organizations should implement DNS filtering to block the domain and IP at the network perimeter. Users can verify site legitimacy by checking for HTTPS padlock symbols only on known official domains and cross-referencing URLs through reputable phishing intelligence feeds such as PhishTank or OpenPhish.

## EVIDENCE HASHES
----------------------------------------------------------------
Favicon MD5:       5c25dc4385fe5963f245c0f0dc98b4ca
TLS cert SHA-256:      19648d349abeaaf2030ac219f28f6d6fb8b795941441ed92e9cd0a0e8786f79d

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/desktop-ledgjrr.pages.dev/
JSON API:          https://api.destroy.tools/v1/check?domain=desktop-ledgjrr.pages.dev
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io