# PhishDestroy threat dossier — ledzer-comstart.pages.dev
================================================================

Fetched:   2026-05-03 05:33:04 UTC
Canonical: https://phishdestroy.io/domain/ledzer-comstart.pages.dev/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Ledger

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      5/91 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, CyRadar, Fortinet, Kaspersky, LevelBlue

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      172.66.44.69 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     Cloudflare, Inc.
Registrar:       Cloudflare, Inc.
Nameservers:     jo.ns.cloudflare.com, nick.ns.cloudflare.com
Registered:      2026-04-30
Page title:      Start Your Ledger Wallet Setup & Protect Crypto
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WE1
Expires:    2026-07-29
Status:     INVALID chain
Fingerprint: 7cba3336639a573c70e26ce946d7ac1c4e9d40688a505e73d53134a8d46dc84c

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-04-30 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-04-30 19:51:28 UTC (by PhishDestroy tracker)
Last verified:     2026-05-02 19:40:15 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019ddf4b-eb85-7458-b269-6883b2a98f2b/
Wayback Machine:  https://web.archive.org/web/*/ledzer-comstart.pages.dev
crt.sh CT logs:   https://crt.sh/?q=%25.ledzer-comstart.pages.dev
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=ledzer-comstart.pages.dev
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/ledzer-comstart.pages.dev
URLhaus:          https://urlhaus.abuse.ch/host/ledzer-comstart.pages.dev/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-04-30 19:52:56 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy identifies ledzer-comstart.pages.dev as an active credential phishing domain operating under a Cloudflare Pages deployment. This fraudulent site mimics a legitimate service to harvest user login credentials, posing as a fake login interface for unsuspecting victims. The threat type is credential phishing, with no direct association to a known brand or drainer kit detected at this stage. The domain employs Cloudflare’s infrastructure to obscure its true origin, making detection and takedown efforts more challenging for security teams. Initial observations suggest a focus on tricking users into entering sensitive information into a deceptive login portal.

Technical indicators confirm this domain’s malicious nature: VirusTotal currently reports 0 out of 95 antivirus engines detecting the threat, indicating a low initial detection rate. The domain is registered through Cloudflare, Inc., resolving to IP address 172.66.44.69. The SSL certificate is issued by Google Trust Services, adding a false sense of legitimacy. The site is hosted on Cloudflare Pages, a legitimate service often abused by threat actors for phishing campaigns. Further analysis reveals no presence on Google Safe Browsing (GSB) blacklists at this time, and the domain remains unflagged by major threat intelligence platforms. The low detection score and lack of blacklisting highlight the need for proactive monitoring and user education.

The current status of ledzer-comstart.pages.dev is active, with the domain continuing to operate under investigation. Security researchers and threat intelligence teams are actively analyzing its behavior, infrastructure, and potential connections to broader phishing campaigns. While the immediate risk remains moderate due to low AV detection, the domain’s use of Cloudflare’s infrastructure complicates mitigation efforts. Users are strongly advised to avoid interacting with this site, verify URLs before entering credentials, and report suspicious activity to relevant authorities. Organizations should implement browser-based protections and DNS filtering to block access. The residual risk remains under evaluation, pending further forensic analysis and takedown actions.

## EVIDENCE HASHES
----------------------------------------------------------------
TLS cert SHA-256:      7cba3336639a573c70e26ce946d7ac1c4e9d40688a505e73d53134a8d46dc84c

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/ledzer-comstart.pages.dev/
JSON API:          https://api.destroy.tools/v1/check?domain=ledzer-comstart.pages.dev
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 144,880 domains (52,853 alive under monitoring, 91,773 confirmed takedowns/dead). Site: https://phishdestroy.io