# PhishDestroy threat dossier — live-desk.pages.dev
================================================================

Fetched:   2026-04-25 11:46:27 UTC
Canonical: https://phishdestroy.io/domain/live-desk.pages.dev/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Ledger

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      5/94 security vendors flagged this domain
  Flagging vendors: ADMINUSLabs, CyRadar, Fortinet, Kaspersky, Sophos

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      188.114.96.3 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     CloudFlare, Inc.
Registrar:       Cloudflare, Inc.
Nameservers:     gemma.ns.cloudflare.com, matt.ns.cloudflare.com
Registered:      2026-03-25
Page title:      Ledger Live Desktop® | Secure Crypto Management Platform®

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WE1
Expires:    2026-06-12
Status:     INVALID chain
Fingerprint: 5aca9862f4b2a5862e23ff8a911cef557b4f6053b9000a14639530c0eda1660a

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-03-25 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-03-25 17:29:20 UTC (by PhishDestroy tracker)
Last verified:     2026-04-21 16:06:40 UTC
Current status:    ACTIVE / observable

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019d2564-d87f-7129-9472-b487e4365d2a/
Wayback Machine:  https://web.archive.org/web/*/live-desk.pages.dev
crt.sh CT logs:   https://crt.sh/?q=%25.live-desk.pages.dev
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=live-desk.pages.dev
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/live-desk.pages.dev
URLhaus:          https://urlhaus.abuse.ch/host/live-desk.pages.dev/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-03-25 17:33:19 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

PhishDestroy has flagged live-desk.pages.dev as a live crypto drainer scam actively targeting users through deceptive web pages. This domain, hosted on Cloudflare infrastructure (ASN 13335), resolves to IP 188.114.96.3 and leverages Google Trust Services’ SSL certificate to appear legitimate. The site is a Pages.dev subdomain, a platform often abused for rapid deployment of phishing kits, which enables threat actors to circumvent traditional domain-based detection mechanisms. Evidence of malicious intent includes the absence of any VirusTotal detections (0/95 engines) as of the latest scan, suggesting this threat has yet to be widely recognized by security vendors.

This domain poses a high risk to cryptocurrency users due to its primary function as a crypto drainer, a type of malware designed to siphon digital assets from victims’ wallets during fraudulent transactions. The infrastructure behind live-desk.pages.dev is consistent with other known crypto drainer campaigns, utilizing Pages.dev to host malicious JavaScript payloads that intercept wallet connections and manipulate transaction details. Threat actors frequently register such domains through Cloudflare to exploit its free tier and rapid deployment capabilities, ensuring minimal time-to-live for security teams to react. The lack of detections on VirusTotal (0/95) indicates either a newly deployed threat or one that has evaded traditional signature-based detection methods.

Users who have visited live-desk.pages.dev should immediately disconnect any connected cryptocurrency wallets and revoke permissions for unknown or suspicious applications. Run a full malware scan using reputable antivirus software to detect and remove any persistent threats. If you entered wallet credentials or transaction details, transfer remaining funds to a newly generated wallet with a different private key. Report the domain to your antivirus provider and consider using browser extensions that block known phishing domains. Stay vigilant for unsolicited links in emails, social media, or messaging platforms, and verify the legitimacy of websites before entering sensitive information.

[Updates since narrative was generated:]
  - VirusTotal detections: now 5/94 (narrative was written when count was lower)

## EVIDENCE HASHES
----------------------------------------------------------------
TLS cert SHA-256:      5aca9862f4b2a5862e23ff8a911cef557b4f6053b9000a14639530c0eda1660a

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/live-desk.pages.dev/
JSON API:          https://api.destroy.tools/v1/check?domain=live-desk.pages.dev
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io