# ledger---live--run.pages.dev — SUSPICIOUS > Website ledger---live--run.pages.dev impersonates Ledger to deploy a crypto drainer; VirusTotal shows 0/95 detections—verify before entering any data. ## Summary PhishDestroy identifies ledger---live--run.pages.dev as an active crypto drainer masquerading as the legitimate Ledger hardware wallet. The domain lures users into connecting their crypto wallets under false pretenses, aiming to exfiltrate cryptocurrency assets via fraudulent transaction requests. The attacker’s infrastructure is hosted on a Cloudflare Pages subdomain, leveraging Cloudflare’s free tier to obscure origin servers and evade rapid takedowns. SSL certificates issued by Google Trust Services further enhance the site’s legitimacy, tricking visitors into believing the connection is secure. DNS resolution to IP 172.66.44.74 confirms active hosting, though no threat intelligence platforms have flagged the domain yet, as reflected by VirusTotal’s 0 detections out of 95 scanners. This domain was flagged on seed 751c6d under brand impersonation with a risk level marked as under_investigation. The impersonation specifically targets Ledger users, a leading brand in hardware wallet security, by mirroring the brand’s visual identity and domain structure. The use of a Cloudflare Pages subdomain (pages.dev) is a common tactic among crypto-draining operators due to the platform’s fast deployment and built-in CDN, which complicates traditional IP-based blocking. With zero detections on VirusTotal despite active scanning from multiple security vendors, the domain remains a latent threat capable of evading automated defenses. The brand target—Ledger—has a large user base, making this impersonation a high-impact attack vector. Users who visited ledger---live--run.pages.dev should immediately disconnect any connected wallets, revoke any unauthorized permissions via their wallet’s settings, and transfer remaining assets to a clean, isolated wallet if suspicious transactions occurred. Do not enter seed phrases, private keys, or recovery phrases on this or any unsolicited page. Clear browser cache and cookies related to Ledger or crypto services. Report the domain to your antivirus provider and Ledger’s official support channel for takedown action. Always access the real Ledger site via an official link verified from the company’s verified X (Twitter) or official website—never via search engine ads or untrusted links. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) - Target brand: Ledger ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 172.66.44.74 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/c2dbecc5-67e0-4209-8bf3-a7ff976138e5 - PhishDestroy: https://phishdestroy.io/domain/ledger---live--run.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/ledger---live--run.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/ledger---live--run.pages.dev/ Last updated: 2026-03-30