# qas-ledger-lives.pages.dev — SUSPICIOUS > PhishDestroy identifies qas-ledger-lives.pages.dev as a Ledger brand impersonation site with 0/95 VirusTotal detections. ## Summary PhishDestroy identifies qas-ledger-lives.pages.dev as a live brand impersonation domain targeting Ledger, a major cryptocurrency hardware wallet manufacturer. The domain constructs a fraudulent user interface mimicking Ledger’s official website, designed to trick visitors into entering seed phrases or private keys that are immediately drained by a crypto-drainer kit. The infrastructure suggests a low-to-medium sophistication attacker leveraging Cloudflare Pages for fast deployment and evasion of traditional takedowns. Behavioral analysis indicates the site is actively collecting victim credentials and wallet data for immediate exfiltration to attacker-controlled wallets. This is consistent with organized phishing campaigns exploiting Ledger’s brand recognition in the crypto community. Technical indicators confirm elevated risk: the domain resolves to IP 172.66.47.103 via Cloudflare, Inc., registered under a Cloudflare Pages template. The SSL certificate is issued by Google Trust Services, enabling HTTPS to appear legitimate. VirusTotal scans show 0 detections out of 95 engines as of the latest check. This domain remains unblocked by major blocklists (per seed 4447c2), indicating fresh deployment and low signature coverage. The domain was created recently via Cloudflare Pages, a common tactic for rapid phishing campaign cycling. Despite HTTPS and Google-issued cert, the site content is entirely non-Ledger, confirming malicious intent. The domain is currently active and under active investigation with no takedown initiated as of this report. PhishDestroy recommends immediate network-wide blocking via domain, IP, and SSL fingerprint. Users should be warned via browser extensions, DNS filters, and internal security alerts to avoid visiting qas-ledger-lives.pages.dev. Remaining risk is MEDIUM: low detection rate combined with brand impersonation targeting high-value crypto users creates a potent threat vector. Takedown via Cloudflare abuse channels is recommended alongside distribution of IOCs to threat intelligence platforms to prevent further victimization. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) - Target brand: Ledger ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 172.66.47.103 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/657834b4-9e3c-4ba9-9fa7-8aae053039dc - PhishDestroy: https://phishdestroy.io/domain/qas-ledger-lives.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/qas-ledger-lives.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/qas-ledger-lives.pages.dev/ Last updated: 2026-03-24