# PhishDestroy threat dossier — know-ledgr-walet.pages.dev
================================================================

Fetched:   2026-04-22 13:00:23 UTC
Canonical: https://phishdestroy.io/domain/know-ledgr-walet.pages.dev/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Trezor

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      11/94 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, BitDefender, CyRadar, Ermes, ESET, Fortinet, G-Data, Kaspersky, Lionic, PhishFort, Sophos

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      188.114.96.3 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     CloudFlare, Inc.
Registrar:       Cloudflare, Inc.
Nameservers:     jeff.ns.cloudflare.com, kenia.ns.cloudflare.com
Registered:      2026-04-13
Page title:      Trezor Suite® | Secure Crypto Management
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WE1
Expires:    2026-06-21
Status:     INVALID chain
Fingerprint: 5b61ab89c5861b8cfa689b576b9cec4ca40145e24a61b15a38eb112499c80e04

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-13 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-13 04:20:11 UTC (by PhishDestroy tracker)
Last verified:     2026-04-21 16:07:30 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019d846a-bd2c-72df-b77b-ac2e854d21b9/
Wayback Machine:  https://web.archive.org/web/*/know-ledgr-walet.pages.dev
crt.sh CT logs:   https://crt.sh/?q=%25.know-ledgr-walet.pages.dev
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=know-ledgr-walet.pages.dev
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/know-ledgr-walet.pages.dev
URLhaus:          https://urlhaus.abuse.ch/host/know-ledgr-walet.pages.dev/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-13 04:22:07 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies know-ledgr-walet.pages.dev as a newly active crypto drainer impersonating Ledger hardware wallet interfaces to harvest seed phrases and private keys. This domain leverages Cloudflare Pages to host a convincing replica of Ledger's official web wallet interface, tricking users into entering sensitive credentials under the guise of 'account verification' or 'firmware updates.' The threat actor behind this operation likely automates fund transfers the moment credentials are submitted, exploiting the irreversible nature of blockchain transactions. Initial observations confirm the domain resolves to Cloudflare's edge network (188.114.96.3), with SSL certificates issued by Google Trust Services to enhance legitimacy. Threat intelligence platforms have not yet flagged this infrastructure, leaving users vulnerable to undetected compromise.  Analysis of technical indicators reveals this domain was registered through Cloudflare, Inc. with no publicly listed WHOIS privacy protection, suggesting a short-lived but high-impact campaign. The infrastructure's association with Cloudflare Pages correlates with similar campaigns targeting cryptocurrency users, where attackers exploit legitimate hosting services to evade traditional IP-based blocking. VirusTotal currently reports zero detections across 95 scanning engines, indicating the domain remains under the radar of mainstream security vendors. Given its active status and the absence of countermeasures, the risk of exposure is high, particularly for users searching for 'Ledger wallet' or related terms. The domain's recent creation further increases its potential for rapid deployment across phishing channels like social media and fraudulent ads.  Organizations and individuals must treat know-ledgr-walet.pages.dev as a critical threat and immediately block access at the network level. Users who visited this domain should assume their Ledger credentials may have been compromised and revoke wallet access via Ledger Live's 'Manage Devices' feature. Perform a factory reset on the physical device and generate new seed phrases, storing them offline in a secure location. Monitor on-chain transactions for unauthorized transfers, and report any suspicious activity to Ledger's official support channels. Enable multi-factor authentication on all exchange accounts and consider migrating assets to cold storage if warm wallets were previously used. Security teams should update firewall rules to block the IP (188.114.96.3) and domain, while conducting phishing awareness training to highlight the dangers of non-official wallet interfaces.

## EVIDENCE HASHES
----------------------------------------------------------------
TLS cert SHA-256:      5b61ab89c5861b8cfa689b576b9cec4ca40145e24a61b15a38eb112499c80e04

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/know-ledgr-walet.pages.dev/
JSON API:          https://api.destroy.tools/v1/check?domain=know-ledgr-walet.pages.dev
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io