# PhishDestroy threat dossier — ledgerlivewallet.org.nz ================================================================ Fetched: 2026-07-01 14:12:44 UTC Canonical: https://phishdestroy.io/domain/ledgerlivewallet.org.nz/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 78/100 (PhishDestroy scoring — see methodology below) Targeted brand: Ledger ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/91 security vendors flagged this domain Flagging vendors: Fortinet AlienVault OTX: 1 pulses (threat-intel feed mentions) Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 43.174.240.1 (SG, Singapore) ASN: AS139341 ACE Hosting org: ACE Registered: 2026-05-21 Page title: ledgerlivewallet.org.nz ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: TrustAsia Technologies, Inc. / TrustAsia DV TLS RSA CA 2025 Expires: 2026-08-12 Status: INVALID chain Fingerprint: 28be075969c81db67a12b31e4e4497197d1b209a3ae12172493bce8c0ca28921 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-21 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-21 15:30:09 UTC (by PhishDestroy tracker) First reported: 2026-06-15 06:30:10 UTC (abuse notice filed) Last verified: 2026-07-01 12:20:36 UTC Neutralised: 2026-05-28 18:22:50 UTC Current status: taken down (registrar suspended or DNS dead) ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-18 16:52:50 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The domain ledgerlivewallet.org.nz was a sophisticated brand impersonation threat targeting users of the cryptocurrency hardware wallet company Ledger. By mimicking the legitimate Ledger Live wallet interface, this phishing domain aimed to harvest sensitive credentials such as recovery phrases and login details, potentially leading to the complete loss of cryptocurrency assets. The site's title, identical to the domain name, was a clear red flag, as legitimate Ledger domains do not use such patterns. The threat was classified as a crypto drainer, designed to trick users into connecting their wallets and authorizing malicious transactions. Technical analysis revealed several indicators of malicious intent. VirusTotal flagged the domain with 1 out of 95 security vendors detecting it, indicating low but present recognition among security tools. The domain was registered on May 21, 2026, with a registrar that was not immediately identifiable from the data, but its SSL certificate was issued by TrustAsia Technologies, Inc., a relatively obscure certificate authority often used by cybercriminals. The domain resolved to IP address 43.174.240.1 and appeared on three security blocklists, while AlienVault OTX reported it in one threat intelligence pulse. These factors, combined with its recent creation and impersonation of a well-known brand, contributed to an elevated risk level. Users who may have visited ledgerlivewallet.org.nz should take immediate action. If any credentials or recovery phrases were entered, they should transfer their cryptocurrency assets to a new, secure wallet immediately and never reuse the compromised phrases. Running a full antivirus scan on the device used to access the site is also recommended. For those who only visited the page without entering information, monitoring accounts for unusual activity is advised. The domain has since been taken offline, but similar threats may emerge, so vigilance against unsolicited requests for wallet credentials is crucial. PhishDestroy continues to monitor for related domains and urges users to always verify URLs before interacting with cryptocurrency services. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: e77d6e15aaa797a66863f59181f9b1ab TLS cert SHA-256: 28be075969c81db67a12b31e4e4497197d1b209a3ae12172493bce8c0ca28921 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/ledgerlivewallet.org.nz/ JSON API: https://api.destroy.tools/v1/check?domain=ledgerlivewallet.org.nz Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 173,494 domains (13,312 alive under monitoring, 159,499 confirmed takedowns/dead). Site: https://phishdestroy.io