# en-desktop-ledgrer.pages.dev — SUSPICIOUS

> PhishDestroy identifies en-desktop-ledgrer.pages.dev as a live crypto drainer impersonating Ledger wallets. VT score 0/95, resolve IP 188.114.97.3.

## Summary
PhishDestroy identifies en-desktop-ledgrer.pages.dev as a live crypto drainer site currently impersonating Ledger hardware wallet users. The page uses a Pages.dev subdomain created via Cloudflare Registrar and resolves to IP 188.114.97.3. No known drainer kit signatures have been extracted from the payload yet, but the site is actively serving a fake Ledger firmware update page that requests wallet seed phrases and private keys. Initial lure is spread via fake support emails and fraudulent Ledger-branded ads on social media.  

Forensic indicators show zero VirusTotal detections despite active distribution, with SSL issued by Google Trust Services on an undetermined date. The domain is hosted on Cloudflare Pages, leveraging IP 188.114.97.3 within ASN 13335. Google Safe Browsing status remains under_investigation, and no public blocklists have flagged the domain yet. Creation date is unknown due to Cloudflare’s privacy protection masking registration timestamps. Behavioral analysis reveals immediate redirection attempts to external wallet drainer domains after fake “device update” initiation, confirming active exploitation phase.  

This domain remains active and unblocked across major browsers and security platforms. Cloudflare has not yet suspended the Pages.dev deployment despite escalation attempts, indicating a persistent hosting vector. Users who visited the link are advised to revoke any exposed wallet approvals, transfer funds to clean wallets, and scan devices for malware. Remaining risk is rated high due to zero detection coverage and ongoing distribution via ad networks and phishing campaigns.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 188.114.97.3

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/56e0993d-2bb3-4232-be58-cb693915ad1e
- PhishDestroy: https://phishdestroy.io/domain/en-desktop-ledgrer.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/en-desktop-ledgrer.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/en-desktop-ledgrer.pages.dev/
Last updated: 2026-03-26