# PhishDestroy threat dossier — ledger-hard.com ================================================================ Fetched: 2026-07-04 00:48:04 UTC Canonical: https://phishdestroy.io/domain/ledger-hard.com/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 98/100 (PhishDestroy scoring — see methodology below) Targeted brand: Ledger Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 2/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/95 security vendors flagged this domain Flagging vendors: Kaspersky URLQuery: 3 detections Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 104.21.3.7 (US, San Francisco) Hosting org: AS13335 Cloudflare, Inc. Registrar: Hello Internet Corp Nameservers: finley.ns.cloudflare.com, rachel.ns.cloudflare.com Registered: 2026-02-12 Expires: 2027-02-12 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-02-12 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-02 15:33:15 UTC (by PhishDestroy tracker) First reported: 2026-07-02 13:50:31 UTC (abuse notice filed) Last verified: 2026-07-04 00:20:35 UTC Neutralised: 2026-07-02 15:34:06 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f2308-14ca-70de-a6cf-48dd950959a0/ URLQuery: https://urlquery.net/report/cd5ac3f6-2483-475e-a6ea-38b6a619f83e Wayback Machine: https://web.archive.org/web/*/ledger-hard.com crt.sh CT logs: https://crt.sh/?q=%25.ledger-hard.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=ledger-hard.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/ledger-hard.com URLhaus: https://urlhaus.abuse.ch/host/ledger-hard.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-02 15:37:07 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, ledger-hard.com, is identified as a crypto drainer designed to siphon cryptocurrency assets from victims by impersonating legitimate wallet services. Crypto drainers operate by injecting malicious JavaScript into compromised or fake websites, tricking users into authorizing transactions that transfer funds to attacker-controlled wallets. The threat is particularly dangerous for users of decentralized finance (DeFi) platforms, hardware wallets, or browser-based wallet extensions, as the drainer exploits signature requests to execute unauthorized transfers without the victim's explicit knowledge. Analysis indicates this domain was registered on February 12, 2026, through Hello Internet Corp, a registrar frequently associated with newly created malicious infrastructure. At the time of assessment, the domain resolved to the IP address 104.21.3.7 and presented an SSL certificate issued by Google Trust Services, which may lend a false sense of legitimacy. VirusTotal reported 0 detections out of 95 security engines, suggesting the domain has not yet been widely flagged by automated systems. The lack of prior detections, combined with the recent registration date, aligns with tactics used by threat actors to evade detection during the initial deployment phase of an attack. Users who visited ledger-hard.com or interacted with its content should immediately revoke any active wallet authorizations associated with the site. This can be done through wallet management interfaces or blockchain explorers that support transaction revocation. Additionally, affected users should transfer remaining assets to a new, secure wallet and monitor their transaction history for unauthorized activity. If credentials or recovery phrases were entered on the site, the compromised wallet should be considered fully exposed, and all linked accounts should be reviewed for signs of unauthorized access. Network-level indicators, such as the IP address 104.21.3.7, should be blocked in enterprise environments to prevent further exposure. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260702-C76CF2 Favicon MD5: 5e7e616dc943d23075771a3df24210dc ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/ledger-hard.com/ JSON API: https://api.destroy.tools/v1/check?domain=ledger-hard.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,417 domains (12,388 alive under monitoring, 161,211 confirmed takedowns/dead). Site: https://phishdestroy.io