# homepage--en-ledgr-us.pages.dev — SUSPICIOUS > homepage--en-ledgr-us.pages.dev hosts a crypto drainer targeting Ledger users. Detected by 0/95 VirusTotal engines. Avoid interaction immediately. ## Summary PhishDestroy identifies homepage--en-ledgr-us.pages.dev as an active crypto drainer impersonating Ledger’s official web presence. This domain deploys a browser-based wallet drainer script designed to siphon cryptocurrency assets from unsuspecting users who mistakenly believe they are interacting with legitimate Ledger services. The attack leverages a spoofed interface mimicking Ledger’s official site, tricking visitors into connecting their wallets under the false pretense of a security update or account verification process. Once a wallet is connected, the drainer executes unauthorized transactions to transfer funds to attacker-controlled addresses, often exploiting ERC-20 or BSC token standards for maximum compatibility. The operational goal is clear: rapid monetization through stolen digital assets, with no regard for victim recovery. This domain was flagged by PhishDestroy after analysis revealed multiple red flags aligning with known crypto-draining campaigns. The site operates under Cloudflare’s Pages.dev service, registered through Cloudflare, Inc., and resolves to IP 172.66.46.254. VirusTotal currently shows 0 detections out of 95 engines, indicating a low antivirus coverage window that threat actors routinely exploit. The domain’s SSL certificate is issued by Google Trust Services, adding a false sense of legitimacy. While the exact creation date is not publicly disclosed, the use of Cloudflare Pages suggests a recent deployment, likely within the last 30 days. The absence of detections and the domain’s dynamic infrastructure (frequent IP rotation, CDN obfuscation) contribute to its stealthy operation. Given these technical indicators, the risk level is assessed as active and escalating, with potential for widespread victimization as the campaign gains traction. Users who have visited homepage--en-ledgr-us.pages.dev must take immediate action to secure their assets. First, disconnect any connected wallets using the wallet’s built-in revoke or disconnect feature. Next, transfer remaining funds to a newly generated wallet address from an official Ledger device or trusted hardware wallet. Scan all devices that accessed the domain using updated antivirus and anti-malware tools, as secondary payloads (e.g., infostealers) may have been deployed. Report the incident to Ledger’s official support channel and file a complaint with relevant cybercrime units. Avoid reusing seed phrases or private keys across platforms, and enable multi-factor authentication wherever possible. Block the domain at the network level using DNS filtering tools or firewall rules. Remain vigilant for phishing emails or social engineering attempts referencing this domain, as attackers may pivot to targeted follow-up attacks. Proactive monitoring of wallet transactions and regular security audits are strongly recommended to mitigate long-term exposure. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 172.66.46.254 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/422ee8ca-484e-4a92-9c93-bc9030723612 - PhishDestroy: https://phishdestroy.io/domain/homepage--en-ledgr-us.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/homepage--en-ledgr-us.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/homepage--en-ledgr-us.pages.dev/ Last updated: 2026-03-22