# ledgger-desktop-live.pages.dev — SUSPICIOUS > PhishDestroy identifies a live Ledger phishing campaign hosted on ledgger-desktop-live.pages.dev. Zero detections on VirusTotal. Check the full report. ## Summary PhishDestroy has initiated an active takedown investigation into ledgger-desktop-live.pages.dev due to its involvement in a live Ledger hardware wallet phishing campaign. The domain is currently classified as under_investigation with a confirmed risk level of active, indicating ongoing malicious activities. Threat actors are leveraging this domain to impersonate legitimate Ledger desktop applications, likely aiming to harvest credentials and seed phrases from unsuspecting users. The immediacy of this threat is underscored by its current operational status, as evidenced by real-time DNS resolution and SSL certificate validation. Technical indicators associated with this domain reveal a concerning lack of detection or mitigation by security vendors. The domain resolves to IP address 172.66.44.176, which is hosted on Cloudflare’s infrastructure and secured with a Google Trust Services SSL certificate—a tactic commonly used to evade traditional blocklists. As of the latest scan, VirusTotal reports 0 detections out of 95 engines, suggesting that signature-based defenses have not yet flagged this infrastructure. The domain is registered through Cloudflare, Inc., a factor that may contribute to its evasiveness due to Cloudflare’s legitimate reputation masking malicious activity. Notably, there are no entries for this domain or its IP on major blocklists or threat intelligence feeds at this time, further highlighting its stealthy nature. The SSL certificate’s validity and the domain’s use of Google Trust Services underscore the sophistication of this campaign, as threat actors increasingly abuse trusted certificate authorities to lend credibility to their phishing lures. Users and organizations are strongly advised to implement immediate countermeasures to mitigate exposure to this threat. First, add ledgger-desktop-live.pages.dev and its resolved IP (172.66.44.176) to network and endpoint blocklists to prevent access. Second, ensure all employees or users are educated on the hallmarks of phishing campaigns targeting cryptocurrency wallets, such as unsolicited emails or websites mimicking official Ledger domains. Third, enforce multi-factor authentication (MFA) for all cryptocurrency-related accounts and recommend the use of hardware wallet verification steps before entering seed phrases or private keys. Finally, monitor network traffic for connections to this domain or its IP, particularly for POST requests containing sensitive credentials or wallet data. Given the domain’s current lack of detection, proactive blocking and user awareness are critical to preempt potential compromises. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 172.66.44.176 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/ledgger-desktop-live.pages.dev - PhishDestroy: https://phishdestroy.io/domain/ledgger-desktop-live.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/ledgger-desktop-live.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/ledgger-desktop-live.pages.dev/ Last updated: 2026-04-04