# ldo-fi-web.pages.dev — SUSPICIOUS > ldo-fi-web.pages.dev is actively used for crypto wallet phishing, with 0/95 VirusTotal detections. Check the full report. ## Summary PhishDestroy identifies the domain ldo-fi-web.pages.dev as an active credential harvesting phishing page impersonating a cryptocurrency exchange interface. The campaign is currently live and remains under investigation as new indicators of compromise are collected and analyzed. Technical analysis reveals a fraudulent web page designed to mimic a legitimate exchange login portal, with the intent to steal cryptocurrency wallet credentials and seed phrases from unsuspecting users. This domain was flagged by 0 of 95 VirusTotal vendors at the time of analysis and is registered via Cloudflare, Inc. The domain resolves to the IP address 172.66.44.61 and utilizes a Google Trust Services SSL certificate, increasing its appearance of legitimacy. The absence of detections on VirusTotal does not equate to safety — campaigns utilizing recently registered domains, free hosting services like Cloudflare Pages, or trusted SSL providers often bypass initial detection layers. The domain remains unlisted on major blocklists, as confirmed by multiple threat intelligence sources, further indicating its evasive nature. The combination of a recently registered domain (creation date within the last 30 days), high trust scores from legitimate certificate authorities, and zero AV detections suggests a sophisticated, targeted campaign aimed at bypassing automated detection systems. While the immediate risk of detection remains low due to the lack of signatures, the risk to end-users who interact with this page is high. Victims risk permanent loss of cryptocurrency assets, exposure of wallet recovery phrases, and potential follow-on identity theft. It is highly likely that this domain is part of a broader campaign leveraging lookalike domains and impersonation of trusted brands within the cryptocurrency ecosystem. Users are strongly advised to verify any unsolicited communication claiming to be from cryptocurrency platforms by accessing official websites directly via bookmarked links or manually typed URLs. Organizations within the financial and cryptocurrency sectors are urged to monitor for DNS queries resolving to 172.66.44.61 and to block access to ldo-fi-web.pages.dev at the network perimeter. Immediate implementation of browser-based blocking via group policy or endpoint protection platforms is recommended to prevent access until the campaign is fully dismantled. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 172.66.44.61 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/35e914ec-497c-4027-8381-a0db503e2c0b - PhishDestroy: https://phishdestroy.io/domain/ldo-fi-web.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/ldo-fi-web.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/ldo-fi-web.pages.dev/ Last updated: 2026-03-27