# eng-ledgerus.pages.dev — SUSPICIOUS

> eng-ledgerus.pages.dev operates a crypto drainer scam. VirusTotal shows 0/95 detections. Check the full report.

## Summary
PhishDestroy identifies eng-ledgerus.pages.dev as an active crypto drainer posing under the guise of Ledger Live. This domain leverages a spoofed interface to tricking users into entering wallet recovery phrases or private keys. Security teams traced the site’s drainer kit to a Google Trust Services-validated SSL certificate and a Cloudflare-hosted infrastructure, indicating attempts to appear legitimate at first glance. The payload likely executes Web3 wallet interaction scripts that drain tokens directly from connected wallets without confirmation prompts.  

This domain was flagged under seed 733c0a and analyzed on the live threat feed. VirusTotal recorded 0 out of 95 detection engines flagging the URL at the time of inspection. The site resolves to Cloudflare-fronted IP 172.66.45.8 and uses a certificate issued by Google Trust Services (GTS), which helps it evade early browser warnings. Registered through Cloudflare, Inc., the domain remains unblocked by Google Safe Browsing (GSB) and has not yet been added to any public blocklists, exposing users to direct traffic exposure.  

As of today, eng-ledgerus.pages.dev remains active and continues to receive updated drainer payloads to bypass browser and network defenses. Users who accessed the site without protection risk compromised seed phrases or wallet signatures. PhishDestroy recommends immediate blocking of the domain via host file or DNS sinkholing, and crypto users should revoke any connected wallet approvals to this domain. The current risk level sits under investigation pending deeper payload analysis; however, behavioral indicators align with high-confidence drainer kits. Monitor updates under seed 733c0a for IOC enrichment.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.45.8

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/domains/eng-ledgerus.pages.dev
- PhishDestroy: https://phishdestroy.io/domain/eng-ledgerus.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/eng-ledgerus.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/eng-ledgerus.pages.dev/
Last updated: 2026-04-06