# PhishDestroy threat dossier — ledger-hardware-wallet.pages.dev
================================================================

Fetched:   2026-04-27 05:34:35 UTC
Canonical: https://phishdestroy.io/domain/ledger-hardware-wallet.pages.dev/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 82/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Ledger

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      0/95 security vendors flagged this domain

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      172.66.47.103
Registrar:       Cloudflare, Inc.
Nameservers:     sneh.ns.cloudflare.com, trace.ns.cloudflare.com
Registered:      2026-04-27
Page title:      Ledger Hardware Wallet Setup — Beginner's Guide (Safe, Step-by-Step)
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WE1
Expires:    2026-07-11
Status:     INVALID chain
Fingerprint: ff62bc1eae59e1f454d2c49baf4d26f6c66d68c24d6eabf8216406f0f9fbd1a5

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-27 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-27 05:32:39 UTC (by PhishDestroy tracker)
Last verified:     2026-04-27 08:30:14 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019dccc6-b460-712d-9c4d-97e72a70fa69/
Wayback Machine:  https://web.archive.org/web/*/ledger-hardware-wallet.pages.dev
crt.sh CT logs:   https://crt.sh/?q=%25.ledger-hardware-wallet.pages.dev
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=ledger-hardware-wallet.pages.dev
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/ledger-hardware-wallet.pages.dev
URLhaus:          https://urlhaus.abuse.ch/host/ledger-hardware-wallet.pages.dev/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-27 05:34:13 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies active impersonation of Ledger’s official hardware wallet setup process on the domain ledger-hardware-wallet.pages.dev. This fraudulent site mimics the legitimate Ledger onboarding experience to deceive users into entering sensitive recovery phrases or seed phrases under the guise of 'beginners guide' instructions. The page title explicitly claims to be a 'Safe, Step-by-Step' setup, leveraging Ledger’s reputation to lower user suspicion and increase the likelihood of credential theft or cryptocurrency theft. This is not a generic phishing site—it is a targeted brand impersonation designed to exploit trust in a leading hardware wallet manufacturer.  

This domain was flagged by PhishDestroy with the unique seed 597742. The site currently resolves to IP 172.66.47.103 via Cloudflare, Inc. and uses a Google Trust Services SSL certificate to appear legitimate. As of investigation, VirusTotal reports 0 detections out of 95 scanners, indicating it remains undetected by most antivirus engines. This low detection rate increases the risk of exposure to users searching for official setup instructions. The use of a *.pages.dev subdomain under Cloudflare Pages further conceals the malicious intent behind a facade of a reputable platform.  

If you visited this site or entered any information, assume compromise immediately. Do not use any cryptocurrency accounts or wallets connected to the entered phrase. Ledger does not distribute wallet setup via third-party domains like pages.dev. If you provided a recovery phrase, seed phrase, or private key, move all funds to a new, isolated wallet and revoke any connected software permissions. Report the domain to your security team and consider rotating all associated passwords. Avoid searching for wallet setup guides via search engines—navigate directly to ledger.com using a verified bookmark or your own trusted typing. Stay vigilant: trust only official domains and channels.

## EVIDENCE HASHES
----------------------------------------------------------------
TLS cert SHA-256:      ff62bc1eae59e1f454d2c49baf4d26f6c66d68c24d6eabf8216406f0f9fbd1a5

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/ledger-hardware-wallet.pages.dev/
JSON API:          https://api.destroy.tools/v1/check?domain=ledger-hardware-wallet.pages.dev
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io