# PhishDestroy threat dossier — ledhgyg-djdjdhd.pages.dev
================================================================

Fetched:   2026-04-26 20:51:34 UTC
Canonical: https://phishdestroy.io/domain/ledhgyg-djdjdhd.pages.dev/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 82/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Ledger

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      0/95 security vendors flagged this domain

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      172.66.47.3
Registrar:       Cloudflare, Inc.
Nameservers:     howard.ns.cloudflare.com, stevie.ns.cloudflare.com
Registered:      2026-04-26
Page title:      Ledger Live
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E8
Expires:    2026-07-24
Status:     INVALID chain
Fingerprint: dcc4213e13758b8dc0207a92fd2ad8d8d3a78204e5cd01d66d714c869e30a3e1

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-26 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-26 16:23:14 UTC (by PhishDestroy tracker)
Last verified:     2026-04-26 19:50:06 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019dc9f4-1dff-746c-b48c-c897d410a6f9/
Wayback Machine:  https://web.archive.org/web/*/ledhgyg-djdjdhd.pages.dev
crt.sh CT logs:   https://crt.sh/?q=%25.ledhgyg-djdjdhd.pages.dev
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=ledhgyg-djdjdhd.pages.dev
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/ledhgyg-djdjdhd.pages.dev
URLhaus:          https://urlhaus.abuse.ch/host/ledhgyg-djdjdhd.pages.dev/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-26 16:25:09 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

The domain ledhgyg-djdjdhd.pages.dev has been flagged as a generic phishing host under active campaign investigation. Security researchers assess this infrastructure as a crypto drainer kit designed to harvest credentials and drain digital wallets from unsuspecting users. While no specific brand impersonation has been confirmed, the threat actor's infrastructure relies on deceptive subdomain patterns commonly associated with fake login portals targeting cryptocurrency holders. This domain is one of several recently registered hosts leveraging Cloudflare Pages to host malicious content, suggesting a coordinated effort to bypass traditional threat detection mechanisms through reputable hosting providers.

Technical indicators confirm this threat remains in early stages with limited detection coverage. VirusTotal reports 0 detections out of 95 scanners as of latest scan, indicating zero detection against current signature bases. The domain was registered through Cloudflare, Inc. and resolves to IPv4 address 172.66.47.3. The SSL certificate was issued by Let's Encrypt, providing a false sense of legitimacy. While the exact registration date remains unverified, the domain's presence on Cloudflare Pages infrastructure suggests recent creation in early 2024. Google Safe Browsing status remains unclassified, and no current blocklist entries have been identified across major threat intelligence platforms. The combination of low detection rates with active infrastructure indicates an emerging threat still under development by threat actors.

Current status places this domain in active investigation stage with 'under_investigation' classification. PhishDestroy analysts continue monitoring for behavioral patterns and upload of drainer code samples. Immediate response includes blocking this domain at network perimeter and flagging for user awareness campaigns. However, remaining risk remains moderate due to zero detection coverage and legitimate-appearing SSL configuration. Users should exercise extreme caution when accessing any ledhgyg-djdjdhd.pages.dev subdomains and verify destination legitimacy before entering credentials or wallet information. This advisory will be updated as additional intelligence becomes available regarding drainer kit functionality and potential brand impersonation targets.

## EVIDENCE HASHES
----------------------------------------------------------------
Favicon MD5:       ae21ecb25616d3be96e987fe7af84d6e
TLS cert SHA-256:      dcc4213e13758b8dc0207a92fd2ad8d8d3a78204e5cd01d66d714c869e30a3e1

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/ledhgyg-djdjdhd.pages.dev/
JSON API:          https://api.destroy.tools/v1/check?domain=ledhgyg-djdjdhd.pages.dev
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io