# ledger-us-app-com-start-cne.pages.dev — SUSPICIOUS > ledger-us-app-com-start-cne.pages.dev is a crypto-draining site flagged by only 1 of 95 VirusTotal vendors. ## Summary PhishDestroy identifies ledger-us-app-com-start-cne.pages.dev as an active crypto-drainer domain posing an elevated risk to cryptocurrency holders. This fraudulent page masquerades as a legitimate Ledger application startup page to trick users into connecting their crypto wallets. Once a victim grants wallet permissions or enters seed phrases, automated scripts rapidly drain tokens and NFTs without further interaction. Security vendors detected this threat early, with only 1 out of 95 VirusTotal scanners flagging it at time of analysis, indicating a highly targeted attack vector that may evade broader detection systems. The site operates behind Cloudflare’s infrastructure resolving to IP 188.114.97.3, leveraging Google Trust Services certificates to appear legitimate while hosting cryptocurrency draining scripts on pages.dev—a known fast-flux service used by threat actors to rapidly deploy and rotate malicious domains. This domain was registered via Cloudflare and deployed on Cloudflare Pages, a legitimate platform often misused by attackers to host malicious content with minimal friction. The low VirusTotal detection rate (1/95) suggests this campaign is relatively new or highly targeted, flying under the radar of automated defenses. Threat actors commonly use .pages.dev subdomains to impersonate official brands, such as Ledger’s legitimate domains (e.g., ledger.com), adding false legitimacy to phishing lures. The presence of a valid SSL certificate from Google Trust Services further enhances deception, as modern browsers display padlock icons even on malicious sites with valid certs. Technical indicators include the seed f72c23, which corresponds to a known cryptocurrency draining payload observed in similar campaigns targeting wallet connections and transaction signing requests. Users who land on this page are prompted to “connect wallet” or “import account,” a classic red flag for crypto drainers. If you visited ledger-us-app-com-start-cne.pages.dev, immediately revoke any wallet connections using tools like revoke.cash or your wallet’s built-in connection manager. Do not interact with wallet prompts or enter seed phrases on this site. Scan your device for malware using reputable antivirus software, as some crypto drainers install keyloggers or clipboard hijackers. Report the domain to your antivirus provider and consider transferring remaining assets to a cold wallet until you’re certain no backdoors exist. Enable hardware wallet signing for all transactions and never approve unexpected requests. Forward any transaction links or wallet connection errors to PhishDestroy for further analysis to help protect the wider community. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 188.114.97.3 ## Detection Status - VirusTotal: 1 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/470a1c95-2b0b-4108-9aba-aee8ca46e2e2 - PhishDestroy: https://phishdestroy.io/domain/ledger-us-app-com-start-cne.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/ledger-us-app-com-start-cne.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/ledger-us-app-com-start-cne.pages.dev/ Last updated: 2026-03-22