# PhishDestroy threat dossier — ledgerd.net ================================================================ Fetched: 2026-06-26 01:44:13 UTC Canonical: https://phishdestroy.io/domain/ledgerd.net/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 91/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: Ledger ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 3/91 security vendors flagged this domain Flagging vendors: CRDF, Gridinsoft, SOCRadar URLQuery: 4 detections Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 162.209.140.178 (HK, Tung Chung) ASN: ASAS40065 CNSERVERS - CNSERVERS LLC, US Hosting org: AS40065 CNSERVERS LLC Registrar: West263 International Limited Nameservers: ns1.363.hk, ns1.myhostadmin.net, ns2.363.hk, ns2.myhostadmin.net Registered: 2026-05-17 Expires: 2027-05-17 Page title: ledger硬件冷钱包-ledger钱包app下载-ledger钱包官方网站|官方认证产品,安全无忧 - tp官方下载安卓最新版本 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR1 Expires: 2026-09-17 Status: INVALID chain Fingerprint: 10f61b2dd9676643741ac4362d3795423d5c3d2f4d44e82e2051d7cf9ae27f10 Subject Alternative Names (related infrastructure — often same operator): - ledgera.cc - ledgerb.cc - ledgerb.cn - ledgerb.net - ledgerc.cc - ledgerc.cn - ledgerc.net - ledgerd.cc - ledgere.cc - ledgere.cn - ledgerg.com - ledgerh.net - ledgeri.cc - ledgeri.cn - ledgerj.com ... +18 more ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-17 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-24 17:57:33 UTC (by PhishDestroy tracker) First reported: 2026-06-24 16:11:16 UTC (abuse notice filed) Last verified: 2026-06-26 00:20:35 UTC Neutralised: 2026-06-25 00:02:45 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019efa58-f09d-719d-86af-85c58268227a/ URLQuery: https://urlquery.net/report/9d4d4cc1-fbc8-470b-97b2-010b7a91f05f Wayback Machine: https://web.archive.org/web/*/ledgerd.net crt.sh CT logs: https://crt.sh/?q=%25.ledgerd.net Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=ledgerd.net AlienVault OTX: https://otx.alienvault.com/indicator/domain/ledgerd.net URLhaus: https://urlhaus.abuse.ch/host/ledgerd.net/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-25 19:13:44 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain is flagged as an elevated-risk brand impersonation threat targeting Ledger, a provider of cryptocurrency hardware wallets. The site, ledgerd.net, presents itself as an official source for Ledger wallet applications, specifically promoting a fake Android app download under the guise of "ledger硬件冷钱包-ledger钱包app下载-ledger钱包官方网站." The page title explicitly references "tp官方下载安卓最新版本," indicating an attempt to deceive users into installing malicious software designed to compromise cryptocurrency assets. Analysis indicates this is a calculated impersonation campaign leveraging brand trust to distribute malware or harvest credentials. Infrastructure analysis reveals the domain was registered on May 17, 2026, through West263 International Limited, a registrar frequently associated with suspicious domains. It resolves to the IP address 162.209.140.178, which has been linked to other fraudulent activities. The domain is currently offline but was previously detected by three security blocklists, including PhishDestroy, OISD, and Hagezi. VirusTotal reports 3 out of 95 security vendors flagging the domain as malicious, while its SSL certificate is issued by Let's Encrypt, a common tactic to lend superficial legitimacy to phishing sites. The creation date discrepancy (2026) suggests potential domain squatting or an error in registration records, further complicating attribution. Mitigation for this threat type involves immediate validation of all cryptocurrency wallet download sources. Users should exclusively obtain software from the official Ledger website or verified app stores, avoiding third-party links. Network-level protections, such as DNS filtering using the provided blocklist data, can prevent access to known malicious domains. Organizations should monitor for connections to 162.209.140.178 and domains registered via West263 International Limited, as these indicators correlate with ongoing phishing campaigns. Endpoint detection systems should be configured to flag unauthorized cryptocurrency wallet installations, particularly those originating from non-official sources. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260624-D1F27A TLS cert SHA-256: 10f61b2dd9676643741ac4362d3795423d5c3d2f4d44e82e2051d7cf9ae27f10 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/ledgerd.net/ JSON API: https://api.destroy.tools/v1/check?domain=ledgerd.net Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 170,046 domains (12,243 alive under monitoring, 157,244 confirmed takedowns/dead). Site: https://phishdestroy.io