# ldgr78sahjk.samra2.workers.dev — SUSPICIOUS

> Fake Ledger Live phishing domain ldgr78sahjk.samra2.workers.dev detected. 0/95 VirusTotal detections. Check the full report.

## Summary
PhishDestroy identifies ldgr78sahjk.samra2.workers.dev as an active brand-impersonating domain targeting Ledger users by mimicking the Ledger Live application interface. The domain employs a deceptive Workers.dev subdomain strategy to host a phishing page designed to harvest cryptocurrency wallet credentials under the guise of a legitimate software update or login portal. No advanced drainer kit components (e.g., clipboard hijackers, wallet drainers) have been confirmed in this initial investigation, but the page title 'Ledger Live' indicates clear intent to deceive users seeking official Ledger services.

This domain resolves to Cloudflare IP 172.67.130.39 and operates with a Google Trust Services SSL certificate, increasing its deceptive legitimacy. VirusTotal currently shows 0/95 detection engines flagging the domain, despite active impersonation of Ledger. The domain was registered through Cloudflare, Inc., leveraging the Workers.dev platform for rapid deployment. No specific creation date is publicly available, but the domain remains active under investigation.

The current status remains active with an 'under_investigation' risk rating. Ledger and cybersecurity communities have not yet added this domain to major blocklists (e.g., Google Safe Browsing reports no blacklisting). Users should avoid accessing ldgr78sahjk.samra2.workers.dev, verify URLs through official Ledger channels, and report any suspicious interactions. Remaining risk includes potential evolution into a full drainer kit or broader credential theft campaign if undetected.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: alive (HTTP ?)
- Target brand: Ledger
- Page title: Ledger Live

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.67.130.39

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/d9a62e5b-99ea-46fb-988c-cd549152ce07
- PhishDestroy: https://phishdestroy.io/domain/ldgr78sahjk.samra2.workers.dev/
- LLM endpoint: https://phishdestroy.io/domain/ldgr78sahjk.samra2.workers.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/ldgr78sahjk.samra2.workers.dev/
Last updated: 2026-04-13