# PhishDestroy threat dossier — ledgerquantfix.xyz ================================================================ Fetched: 2026-05-24 16:41:19 UTC Canonical: https://phishdestroy.io/domain/ledgerquantfix.xyz/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Airdrop Scam Targeted brand: Ledger Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 2/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/95 security vendors flagged this domain Flagging vendors: Forcepoint ThreatSeeker ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 104.21.13.16 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: OwnRegistrar, Inc. Nameservers: may.ns.cloudflare.com, sevki.ns.cloudflare.com Registered: 2026-05-21 Page title: Raydium | Airdrop HTTP response: 530 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E8 Expires: 2026-08-19 Status: INVALID chain Fingerprint: 855340dfc346258ce0d265cac8f726a28eb6c18134fcfad195be3277ccda8253 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-21 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-21 14:31:10 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-05-21 11:36:42 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-05-24 19:32:40 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e4a4c-9ab4-743d-991a-9a7cc2f697ae/ URLQuery: https://urlquery.net/report/8d24d7f2-e922-4fb5-a07e-55e58e439599 Wayback Machine: https://web.archive.org/web/*/ledgerquantfix.xyz crt.sh CT logs: https://crt.sh/?q=%25.ledgerquantfix.xyz Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=ledgerquantfix.xyz AlienVault OTX: https://otx.alienvault.com/indicator/domain/ledgerquantfix.xyz URLhaus: https://urlhaus.abuse.ch/host/ledgerquantfix.xyz/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-21 14:31:40 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] LedgerQuantFix.xyz is an active crypto drainer domain designed to steal cryptocurrency from unsuspecting users by impersonating legitimate Ledger support services. The site leverages deceptive tactics, including fake wallet connection prompts and fraudulent transaction approvals, to siphon funds directly from victims' wallets. Once a user connects their wallet or approves a transaction, the drainer initiates unauthorized transfers to controlled addresses, often resulting in irreversible financial losses. The domain's malicious operations are further facilitated by its recent creation date, obscure registrar, and hosting infrastructure, all of which contribute to its elevated risk profile. PhishDestroy identifies LedgerQuantFix.xyz as a high-risk crypto drainer that specifically targets users seeking cryptocurrency wallet support or services. The domain was registered on May 21, 2026, through OwnRegistrar, Inc., a registrar known for hosting numerous fraudulent domains. It resolves to IP address 104.21.13.16, a server associated with multiple malicious campaigns. Security analysis by VirusTotal reveals that only 1 out of 95 security vendors flagged this domain, highlighting the stealthy nature of its operations. Despite its low detection rate, the domain employs a valid Let's Encrypt SSL certificate to appear legitimate, further deceiving users into trusting its fraudulent services. Users who have visited LedgerQuantFix.xyz should take immediate action to secure their assets. First, disconnect the domain from your browser and clear all cached data. Next, revoke any wallet connections or permissions granted to the site through your wallet's settings or a reputable blockchain explorer. If you approved any transactions or connected your wallet, monitor your transaction history for suspicious activity and report unauthorized transfers to your wallet provider or relevant authorities. Consider transferring remaining funds to a new, secure wallet to prevent further exposure. Always verify the legitimacy of support sites by checking official channels and using bookmarked links for trusted services. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260521-7B0A1B TLS cert SHA-256: 855340dfc346258ce0d265cac8f726a28eb6c18134fcfad195be3277ccda8253 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/ledgerquantfix.xyz/ JSON API: https://api.destroy.tools/v1/check?domain=ledgerquantfix.xyz Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 152,979 domains (39,706 alive under monitoring, 112,817 confirmed takedowns/dead). Site: https://phishdestroy.io