# ledgerr-livv-desktopp.pages.dev — SUSPICIOUS

> PhishDestroy identifies ledgerr-livv-desktopp.pages.dev as an active crypto drainer phishing domain. VirusTotal flags 1/95 vendors.

## Summary
PhishDestroy identifies ledgerr-livv-desktopp.pages.dev as an active crypto drainer campaign targeting cryptocurrency users under the guise of a desktop application portal. This fraudulent domain impersonates Ledger’s legitimate infrastructure, leveraging Cloudflare Pages hosting to distribute a malicious JavaScript payload designed to drain cryptocurrency wallets upon wallet signature requests. Technical analysis reveals the domain resolves to IP 188.114.97.3 and uses a Google Trust Services SSL certificate to enhance credibility, increasing the likelihood of successful deception. The threat actor behind seed 476c41 has deployed this campaign with operational sophistication, exploiting legitimate cloud hosting to bypass traditional network defenses.


This domain was flagged by PhishDestroy during routine threat intelligence monitoring. VirusTotal analysis confirms detection by only 1 out of 95 security vendors, highlighting a critical detection gap. The domain was registered through Cloudflare, Inc., a legitimate provider subverted for malicious hosting. While the exact creation date is not publicly available, the use of Cloudflare Pages indicates rapid deployment typical of opportunistic phishing campaigns. The low vendor detection rate—combined with the domain’s use of a valid SSL certificate issued by Google Trust Services—demonstrates elevated risk, as users and automated systems may perceive the site as trustworthy. The presence of a crypto drainer payload further escalates the threat level, as successful execution results in irreversible financial loss.


Users who accessed ledgerr-livv-desktopp.pages.dev should assume their cryptocurrency wallets may have been compromised. Immediately revoke any active wallet connections via your wallet provider’s security settings. Transfer remaining assets to a newly generated wallet with a hardware-backed seed phrase stored offline. Scan all connected devices for malware using reputable antivirus tools, as the crypto drainer may have delivered secondary payloads. Report the incident to your wallet provider and file a complaint with local cybercrime authorities. Avoid interacting with any Ledger-related domains not originating from ledger.com or verified official channels. Enable multi-factor authentication on all exchange and wallet accounts and monitor transactions for unauthorized activity. Stay vigilant—this campaign remains active and may evolve with new domains or delivery vectors.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 188.114.97.3

## Detection Status
- VirusTotal: 1 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/bdd39f7c-9dd7-4571-8b5d-1c445db5128e
- PhishDestroy: https://phishdestroy.io/domain/ledgerr-livv-desktopp.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/ledgerr-livv-desktopp.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/ledgerr-livv-desktopp.pages.dev/
Last updated: 2026-03-23