# PhishDestroy threat dossier — ledger-wallet-bitcoin.net ================================================================ Fetched: 2026-04-26 16:35:08 UTC Canonical: https://phishdestroy.io/domain/ledger-wallet-bitcoin.net/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Targeted brand: Ledger Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 2/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 18/95 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, Chong Lua Dao, CRDF, CyRadar, ESET, Emsisoft, Forcepoint ThreatSeeker, Fortinet, G-Data, Kaspersky, Lionic, Netcraft, Seclookup, Sophos, VIPRE, Webroot URLQuery: 3 detections Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 104.21.81.220 Registrar: Web Commerce Communications Limited dba WebNic.cc Nameservers: dora.ns.cloudflare.com, vick.ns.cloudflare.com Registered: 2026-01-03 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-01-03 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-26 16:30:11 UTC (by PhishDestroy tracker) First reported: 2026-04-26 13:30:40 UTC (abuse notice filed) Last verified: 2026-04-26 19:20:43 UTC Neutralised: 2026-04-26 16:32:07 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dc9fa-82f1-745a-9c43-d80c0d628b73/ URLQuery: https://urlquery.net/report/db835757-a11f-41d7-8b87-e3a7009a829f Wayback Machine: https://web.archive.org/web/*/ledger-wallet-bitcoin.net crt.sh CT logs: https://crt.sh/?q=%25.ledger-wallet-bitcoin.net Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=ledger-wallet-bitcoin.net AlienVault OTX: https://otx.alienvault.com/indicator/domain/ledger-wallet-bitcoin.net URLhaus: https://urlhaus.abuse.ch/host/ledger-wallet-bitcoin.net/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-26 16:33:22 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] ledger-wallet-bitcoin.net has been identified by PhishDestroy as a confirmed brand impersonation domain masquerading as the official Ledger cryptocurrency wallet platform. The threat level for this domain is currently under investigation due to its recent takedown and the absence of active malicious payloads at the time of analysis. However, its use of high-risk tactics, including SSL encryption via Google Trust Services and redirection to IP 104.21.81.220, demands immediate attention from security teams and cryptocurrency users alike. The domain’s creation on January 03, 2026, its appearance on three recognized security blocklists, and preemptive blocking by vendors such as MetaMask and SEAL underscore its malicious intent to deceive visitors into compromising their digital assets. This domain was registered through Web Commerce Communications Limited dba WebNic.cc, a registrar known to facilitate both legitimate and malicious registrations. VirusTotal analysis shows 0/95 security engines flagged the site at the time of assessment, indicating a temporarily low detection rate that could mislead cautious users. The domain resolves to IP address 104.21.81.220, which has been associated with similar brand impersonation campaigns and crypto drainer operations in the past. The SSL certificate issued by Google Trust Services may lend false legitimacy, tricking visitors into believing the site is secure. This combination of indicators—recent creation, immediate takedown, and cross-vendor blocking—suggests an opportunistic, short-lived campaign designed to exploit lapses in user vigilance during a critical period of adoption and trust in digital asset platforms. To mitigate exposure to ledger-wallet-bitcoin.net and similar threats, users are strongly advised to verify all wallet URLs directly from the official Ledger website (ledger.com) and never rely on links provided via email, social media, or third-party advertisements. Enterprises and crypto service users should integrate real-time threat intelligence feeds that include blocklists such as OISD, SEAL, and MetaMask’s phishing database to block known malicious domains preemptively. Additionally, enabling hardware wallet authentication and two-factor authentication (2FA) can significantly reduce the risk of unauthorized access even if credentials are inadvertently entered. Security teams should also investigate any internal access from IP 104.21.81.220 or related infrastructure to prevent lateral movement. Immediate reporting of suspicious domains to relevant authorities—such as the Anti-Phishing Working Group (APWG) or local cybercrime units—helps accelerate global takedown efforts and protects the broader ecosystem. [Updates since narrative was generated:] - VirusTotal detections: now 18/95 (narrative was written when count was lower) ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260426-564EB3 Favicon MD5: 5e7e616dc943d23075771a3df24210dc ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/ledger-wallet-bitcoin.net/ JSON API: https://api.destroy.tools/v1/check?domain=ledger-wallet-bitcoin.net Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io