# ledger-com-on.pages.dev — SUSPICIOUS > ledger-com-on.pages.dev mimics Ledger’s official site to steal crypto via a malicious wallet drainer kit. Resolves to 188.114.96. ## Summary PhishDestroy identifies ledger-com-on.pages.dev as an active Ledger brand impersonation site currently under forensic review. This domain masquerades as the legitimate Ledger hardware wallet portal while hosting a drainer kit designed to siphon cryptocurrency assets from unwitting users. The page leverages Cloudflare’s infrastructure and a Google Trust Services SSL certificate to appear authentic at first glance, targeting holders of Ledger devices with a spoofed “firmware update” lures and seed-phrase harvesting forms. No known exploit kit signatures are publicly listed yet, but the domain’s behavior aligns with modern wallet-draining campaigns that automate transfers to attacker-controlled addresses. Technical indicators place ledger-com-on.pages.dev on Cloudflare, Inc. infrastructure resolving to IPv4 188.114.96.3. VirusTotal currently returns 0 out of 95 engines flagging the domain or its payload, and the SSL certificate is issued by Google Trust Services—legitimate but weaponized via misrepresentation. The domain was registered through Cloudflare Registrar and is served via Cloudflare Pages, enabling rapid turnover and traffic obfuscation. Google Safe Browsing has not yet listed this URL, and public blocklists show zero detections at the time of writing. These sparse detection rates suggest a recently deployed or carefully segmented campaign. This domain remains active and poses a HIGH immediate risk to any user who accesses it with a connected wallet or enters seed phrases. Ledger’s official domains are ledger.com and shop.ledger.com; any deviation including this Cloudflare Pages subdomain is malicious. Users are advised to disconnect wallets, clear browser sessions, and report the domain to their browser vendors and Ledger’s abuse channels. Until detection coverage improves, treat ledger-com-on.pages.dev as a confirmed threat actor endpoint; blocklist locally and avoid all interaction. The investigation is ongoing, and risk remains elevated due to low third-party detection and the domain’s cloaking behavior through legitimate providers. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) - Target brand: Ledger ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 188.114.96.3 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/1b4ca513-7b9b-43ff-ad81-123aec923179 - PhishDestroy: https://phishdestroy.io/domain/ledger-com-on.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/ledger-com-on.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/ledger-com-on.pages.dev/ Last updated: 2026-03-24