# io-en-ledger-in.pages.dev — SUSPICIOUS

> io-en-ledger-in.pages.dev (Cloudflare) hosts a crypto drainer with 1/95 VirusTotal detections, mimicking Ledger wallets to steal crypto assets.

## Summary
PhishDestroy identifies io-en-ledger-in.pages.dev as an active crypto drainer domain impersonating Ledger’s wallet interface. This domain employs a drainer kit designed to siphon cryptocurrency assets from unsuspecting users under the guise of a legitimate Ledger verification page. While the infrastructure leverages Cloudflare’s Pages service for hosting, the threat actor’s intent is clear: to deceive victims into connecting their wallets and approving fraudulent transactions.

Forensic analysis reveals exact threat indicators: VirusTotal flags only 1 out of 95 security vendors (1.05%), while the domain resolves to IP 188.114.97.3, operated by Cloudflare, Inc., via a Google Trust Services SSL certificate. This indicates a sophisticated evasion technique, as the certificate chain appears legitimate at first glance. The seed identifier 296b68 ties this domain to a known campaign infrastructure, suggesting reuse or shared threat actor involvement.

Current status shows active deployment with no blocklist mitigations detected at the time of analysis. Immediate actions include adding the domain and IP to corporate blocklists (DNS, firewall, proxy), and flagging the SSL certificate for inspection. Despite its elevated risk profile, this domain remains unlisted on major threat intelligence platforms, highlighting the need for proactive hunting. Remaining risk is moderate due to widespread Ledger user targeting and drainer kit efficacy, necessitating user awareness campaigns and wallet connection verification procedures.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 188.114.97.3

## Detection Status
- VirusTotal: 1 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/3ba5eb43-ade7-4485-be51-75c0e28d65bd
- PhishDestroy: https://phishdestroy.io/domain/io-en-ledger-in.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/io-en-ledger-in.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/io-en-ledger-in.pages.dev/
Last updated: 2026-04-01