# PhishDestroy threat dossier — get-ldger-live-en.pages.dev
================================================================

Fetched:   2026-05-03 20:37:42 UTC
Canonical: https://phishdestroy.io/domain/get-ldger-live-en.pages.dev/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 97/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Ledger

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      2/94 security vendors flagged this domain
  Flagging vendors: LevelBlue, Netcraft

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      188.114.97.3 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     CloudFlare, Inc.
Registrar:       Cloudflare, Inc.
Nameservers:     kipp.ns.cloudflare.com, nia.ns.cloudflare.com
Registered:      2026-04-17
Page title:      Ledger® Live Desktop® | Secure Crypto® Management
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WE1
Expires:    2026-07-08
Status:     INVALID chain
Fingerprint: a7fbada44b44756980a31a5e0112c082d3e7a77d5f095bcebeef084c99232033

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-17 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-18 00:44:05 UTC (by PhishDestroy tracker)
Last verified:     2026-04-26 01:40:04 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019d9d65-ddd7-73b5-a83a-a6fded9c7aba/
Wayback Machine:  https://web.archive.org/web/*/get-ldger-live-en.pages.dev
crt.sh CT logs:   https://crt.sh/?q=%25.get-ldger-live-en.pages.dev
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=get-ldger-live-en.pages.dev
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/get-ldger-live-en.pages.dev
URLhaus:          https://urlhaus.abuse.ch/host/get-ldger-live-en.pages.dev/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-18 00:44:41 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies get-ldger-live-en.pages.dev as an active credential phishing domain impersonating the Ledger brand. This site masquerades as Ledger’s official portal to deceive users into surrendering private keys or seed phrases under the guise of account verification. The threat targets cryptocurrency users by exploiting familiarity with hardware wallet brands to bypass security awareness. This is an ongoing investigation with confirmed malicious intent, though infrastructure remains partially obfuscated behind reputable services.

This domain was flagged for brand impersonation of Ledger, a leading cryptocurrency hardware wallet manufacturer. Intelligence shows it is registered via Cloudflare, Inc., resolves to IP 188.114.97.3, and holds an SSL certificate issued by Google Trust Services—indicators often abused to lend false legitimacy. VirusTotal currently reports 0 detections out of 95 threat engines as of seed 95bae4, suggesting it has not yet propagated through global signature updates. However, the use of a Cloudflare Pages subdomain (pages.dev) is a known tactic to rapidly deploy counterfeit login portals that evade traditional blocklist filtering. No public blocklist entries or historical takedown records are associated with this IP or domain at this time, which increases its window of operation. The SSL certificate issued by Google Trust Services does not inherently validate the site’s authenticity, as threat actors frequently abuse trusted CAs to encrypt malicious traffic.

To mitigate exposure to this Ledger impersonation campaign, users should never access wallet interfaces via third-party links—especially those received via email, social media, or ads. Verify any Ledger-related URL by manually typing ledger.com into the browser and confirming the site uses HTTPS with a valid certificate chain rooted in Ledger’s official domains. Do not enter credentials, seed phrases, or private keys on any page claiming to represent Ledger unless you initiated contact through an independently confirmed source. Enable multi-factor authentication on official accounts and consider using hardware wallets that require physical confirmation for transactions. Report this domain immediately to PhishDestroy and your security team to help block future campaigns using similar obfuscation tactics.

## EVIDENCE HASHES
----------------------------------------------------------------
Favicon MD5:       0c23393a2962fa25800b09e18dd6b102
TLS cert SHA-256:      a7fbada44b44756980a31a5e0112c082d3e7a77d5f095bcebeef084c99232033

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/get-ldger-live-en.pages.dev/
JSON API:          https://api.destroy.tools/v1/check?domain=get-ldger-live-en.pages.dev
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 145,308 domains (56,110 alive under monitoring, 88,838 confirmed takedowns/dead). Site: https://phishdestroy.io