# PhishDestroy threat dossier — hame-ldger-io.pages.dev
================================================================

Fetched:   2026-04-23 04:41:22 UTC
Canonical: https://phishdestroy.io/domain/hame-ldger-io.pages.dev/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Ledger

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      9/94 security vendors flagged this domain
  Flagging vendors: alphaMountain.ai, BitDefender, CyRadar, Fortinet, G-Data, Kaspersky, LevelBlue, Lionic, Sophos

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      172.66.45.7 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     Cloudflare, Inc.
Registrar:       Cloudflare, Inc.
Nameservers:     anirban.ns.cloudflare.com, joselyn.ns.cloudflare.com
Registered:      2026-03-28
Page title:      Getting Started — Ledger (Quick 1000‑word Presentation)
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WE1
Expires:    2026-06-26
Status:     INVALID chain
Fingerprint: ec07f0c7e585bf644aa55a4cbb248e050aca924b5f72a5d1c99b7d7531cf334a

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-03-28 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-03-28 09:24:34 UTC (by PhishDestroy tracker)
Last verified:     2026-04-21 16:10:52 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019d331a-f490-7289-87ef-b195b2fc40dd/
Wayback Machine:  https://web.archive.org/web/*/hame-ldger-io.pages.dev
crt.sh CT logs:   https://crt.sh/?q=%25.hame-ldger-io.pages.dev
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=hame-ldger-io.pages.dev
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/hame-ldger-io.pages.dev
URLhaus:          https://urlhaus.abuse.ch/host/hame-ldger-io.pages.dev/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-03-28 09:27:30 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

This investigation report documents an active credential theft campaign linked to the domain hame-ldger-io.pages.dev. Based on behavioral analysis and threat intelligence correlation, PhishDestroy assesses the risk level for this domain as elevated due to its confirmed engagement in credential theft operations targeting unsuspecting users. The threat actor employs deceptive web pages designed to masquerade as legitimate login portals, capturing user credentials for unauthorized access and subsequent exploitation.  

PhishDestroy’s analysis reveals the following technical indicators and supporting data points: the domain hame-ldger-io.pages.dev exhibits a valid SSL certificate issued by Google Trust Services, indicating an attempt to establish false trust. VirusTotal analysis shows 3 out of 95 security vendors flagging the domain as malicious as of the latest scan, with detection names including credential phishing and data exfiltration. The domain resolves to IP address 172.66.45.7, hosted on Cloudflare infrastructure via Pages.dev, a platform often abused for rapid deployment of spoofed sites. The domain registration details are obscured behind Cloudflare’s privacy protection, a common tactic among malicious actors to delay takedown efforts. While the exact creation date is not publicly disclosed due to registrar privacy, the domain’s presence on Cloudflare Pages and active use in campaigns strongly suggest recent registration and immediate operational intent. No known blocklists are currently flagging this specific subdomain, however, the low detection rate on VirusTotal highlights the stealthy nature of this campaign.  

Given the confirmed credential theft objective, users must treat this domain as hostile. Avoid submitting any login credentials, personal data, or financial information upon encountering pages hosted at hame-ldger-io.pages.dev. Organizations are advised to implement real-time domain blocking for hame-ldger-io.pages.dev and monitor DNS logs for outbound connections to IP 172.66.45.7. Security teams should also configure browser-based protections to flag Cloudflare Pages domains used for logins and enable multi-factor authentication (MFA) across all accounts to mitigate credential theft impact. If exposure is suspected, immediately rotate passwords and revoke active sessions. Report this domain through official phishing channels and consider submitting indicators to threat intelligence platforms for broader dissemination and prevention.

## EVIDENCE HASHES
----------------------------------------------------------------
TLS cert SHA-256:      ec07f0c7e585bf644aa55a4cbb248e050aca924b5f72a5d1c99b7d7531cf334a

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/hame-ldger-io.pages.dev/
JSON API:          https://api.destroy.tools/v1/check?domain=hame-ldger-io.pages.dev
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io