# PhishDestroy threat dossier — ledger-live-desktop-app.org
================================================================

Fetched:   2026-06-22 23:59:10 UTC
Canonical: https://phishdestroy.io/domain/ledger-live-desktop-app.org/

## VERDICT
----------------------------------------------------------------
ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Ledger
Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 1/6)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      16/91 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, Criminal IP, alphaMountain.ai, BitDefender, Chong Lua Dao, CyRadar, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, Lionic, SOCRadar, Sophos, VIPRE, Webroot
Public blocklists: listed on 2 independent blocklists

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      208.91.199.152
Registrar:       Edomains LLC
Nameservers:     ns1.bh-25.webhostbox.net, ns2.bh-25.webhostbox.net
Registered:      2026-06-12
Expires:         2026-10-12

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / R13
Expires:    2026-08-17
Status:     INVALID chain
Fingerprint: 809e08d80fba27672fc6cf601065e1fbbc29c30ce92465d14d7ed289d9ff6cd7
Subject Alternative Names (related infrastructure — often same operator):
  - 1000pictures.com
  - 300watches.com
  - advertisinghunt.net
  - aesbrasil.org
  - aldokkan.com
  - altocelebs.com
  - antimedia.net
  - arts-decor.com
  - bcchinese.net
  - beszeljukmac.com
  - bloghaus.net
  - bodycare2000.com
  - cafeblo.com
  - cedarland.org
  - certificity.com
  ... +77 more

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-06-12 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-06-12 17:16:10 UTC (by PhishDestroy tracker)
First reported:    2026-06-12 17:16:10 UTC (abuse notice filed)
Last verified:     2026-06-23 00:20:34 UTC
Neutralised:       2026-06-17 00:43:21 UTC
Current status:    ACTIVE — cloaked behind HTTP 666 to evade scanners

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019ebc65-d00b-7128-8f96-78e662d06d3c/
Wayback Machine:  https://web.archive.org/web/*/ledger-live-desktop-app.org
crt.sh CT logs:   https://crt.sh/?q=%25.ledger-live-desktop-app.org
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=ledger-live-desktop-app.org
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/ledger-live-desktop-app.org
URLhaus:          https://urlhaus.abuse.ch/host/ledger-live-desktop-app.org/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-06-22 23:28:18 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

The domain ledger-live-desktop-app.org impersonates the cryptocurrency hardware wallet brand Ledger. This phishing operation is particularly concerning given its high platform risk score of 93 out of 100. The domain was first detected by PhishDestroy on June 12, 2026, the same day it was created, indicating a rapid deployment strategy by the threat actors.

Despite the domain being taken down and offline, it has already been flagged as malicious by 16 out of 91 vendors on VirusTotal. Additionally, it appears on two public blocklists, including PhishDestroy and Enkrypt. The domain was registered through Edomains LLC and hosted on the IP address 208.91.199.152, with a Let's Encrypt SSL certificate issued under R13.

The impersonation of Ledger suggests a targeted approach to deceive users into divulging sensitive information related to cryptocurrency assets. Such scams can lead to significant financial losses for victims. The quick detection and subsequent takedown of the domain highlight the effectiveness of threat intelligence efforts in mitigating risks associated with phishing domains. However, the initial window of opportunity for attackers underscores the importance of continuous monitoring and rapid response to emerging threats.

## EVIDENCE HASHES
----------------------------------------------------------------
Favicon MD5:       4504b09397ce9b455e6ddc4a6c8586fc
TLS cert SHA-256:      809e08d80fba27672fc6cf601065e1fbbc29c30ce92465d14d7ed289d9ff6cd7

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/ledger-live-desktop-app.org/
JSON API:          https://api.destroy.tools/v1/check?domain=ledger-live-desktop-app.org
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 168,160 domains (12,911 alive under monitoring, 154,931 confirmed takedowns/dead). Site: https://phishdestroy.io