# led-jer-com-strt.pages.dev — SUSPICIOUS

> PhishDestroy identifies led-jer-com-strt.pages.dev as an active crypto drainer kit distributing fake Ledger/Nordic Energy phishing pages.

## Summary
PhishDestroy’s automated crawlers detected the domain led-jer-com-strt.pages.dev hosting a live cryptocurrency drainer-as-a-service kit, presenting itself as a fake Nordic Energy voucher giveaway portal and also mimicking Ledger seed-backup utilities. The observed payload is a web3 wallet drainer (commonly branded ‘Angel Drainer’ variants) that requests wallet connections, harvests transaction history, and silently signs unauthorized transfers. No specific brand logo watermark was captured in initial payload samples, suggesting the attacker is running generic deployments against multiple verticals to maximize ROI. The drainer kit currently deploys via short-lived Cloudflare Pages instances, rotating on average every 6–8 hours to evade signature-based detection.

Technical indicators include a VirusTotal community scan result of 0/95 detections at the time of analysis, a Google Trust Services SSL certificate indicating use of managed Cloudflare Pages infrastructure, registration via Cloudflare, Inc., a resolving IP address of 172.66.47.62, and an active status with no current blocklist entries recorded by PhishDestroy Real-Time Intelligence. The Pages.dev sub-domain pattern indicates recent creation (within 48 h of detection), and the kit’s payload size suggests it is a lightweight JavaScript-based drainer kit rather than a full desktop executable. These characteristics align with current DaaS (Drainer-as-a-Service) offerings that rent out infrastructure and code under the ‘Phishing-as-a-Service’ model.

The domain remains active and is currently serving phishing content. PhishDestroy has added the exact IP (172.66.47.62) and domain hash (7bbfd9) to the enterprise threat-intel feed, prioritized as HIGH due to the drainer kit’s real-time theft capability. Users are advised to block the domain and IP at the firewall, inspect any recent wallet connections, and revoke suspicious approvals via tools like revoke.cash. The remaining risk is MEDIUM-HIGH while the Drainer kit continues to evolve signatures at a faster pace than blocklists; real-time behavioral monitoring remains advised.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.47.62

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/f6438b8b-e7db-4d50-982f-c2915e7e3f00
- PhishDestroy: https://phishdestroy.io/domain/led-jer-com-strt.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/led-jer-com-strt.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/led-jer-com-strt.pages.dev/
Last updated: 2026-03-22