# legdrs-io-u.pages.dev — SUSPICIOUS

> legdrs-io-u.pages.dev is a credential theft domain mimicking a crypto service with 0/95 VirusTotal detections. Verify sender URLs before entering login details.

## Summary
PhishDestroy identifies legdrs-io-u.pages.dev as an active credential theft domain associated with a targeted attack campaign. This domain is designed to impersonate a legitimate service, likely aiming to harvest user credentials for unauthorized access, financial fraud, or identity theft. The threat actor behind this operation has deployed infrastructure designed to evade early detection, while maintaining a low operational footprint. Given the absence of detections on VirusTotal and the use of Cloudflare’s Pages service, this domain is currently under active investigation but poses a significant risk to unsuspecting users who may enter sensitive information.  

This domain resolves to IP 172.66.46.227, hosted under Cloudflare, Inc., with Google Trust Services providing the SSL certificate. VirusTotal currently shows 0/95 detections, indicating that mainstream security engines have not yet flagged the domain. The domain was registered through Cloudflare’s Pages service, which allows rapid deployment of static sites—often exploited for phishing and credential harvesting due to its legitimate appearance and short-lived infrastructure. While no confirmed blocklist inclusion is recorded, the domain remains active and is likely involved in ongoing campaigns targeting cryptocurrency users or brand impersonation.  

Users are strongly advised to avoid interacting with legdrs-io-u.pages.dev or any associated links. To mitigate risk, verify all URLs and sender domains manually before entering credentials. Enable multi-factor authentication (MFA) on all accounts, especially those linked to cryptocurrency platforms. Report suspicious domains to your security provider and relevant cybercrime units. Organizations should monitor DNS logs for connections to this IP and block 172.66.46.227 at the network perimeter. Exercise heightened caution with emails or messages promoting urgent login requests, and confirm legitimacy through official channels only.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.46.227

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/domains/legdrs-io-u.pages.dev
- PhishDestroy: https://phishdestroy.io/domain/legdrs-io-u.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/legdrs-io-u.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/legdrs-io-u.pages.dev/
Last updated: 2026-04-03