# sso-ledr-live.pages.dev — MALICIOUS

> PhishDestroy identifies sso-ledr-live.pages.dev as a crypto drainer impersonating SSO login portals. VirusTotal flags 10/95 vendors.

## Summary
PhishDestroy identifies sso-ledr-live.pages.dev as a confirmed crypto drainer mimicking legitimate SSO authentication pages. This domain was flagged by 10 out of 95 VirusTotal security vendors, indicating a high likelihood of malicious activity targeting users seeking single sign-on access. Registered through Cloudflare, Inc., the domain leverages Cloudflare Pages for rapid deployment while hiding behind a Google Trust Services SSL certificate to appear legitimate. The infrastructure resolves to IP 172.66.47.138, a known hosting environment frequently abused for phishing campaigns.  This domain poses a severe risk to users who may inadvertently input their credentials or cryptocurrency wallet details into the fraudulent login interface. The threat actor behind this scheme likely disseminates the URL via phishing emails, fake advertisements, or social engineering tactics to lure victims into surrendering sensitive information. The use of a Pages.dev subdomain suggests a low-cost, high-reward approach for threat actors, as Cloudflare's platform allows for quick setup and takedown evasion. Given the 10/95 detection rate, traditional security tools may not catch this threat, increasing the risk of successful compromise.  Users who visited sso-ledr-live.pages.dev should immediately cease any interaction with the site and avoid entering any credentials or cryptocurrency wallet information. If credentials were entered, users must change passwords across all accounts (especially those using similar usernames or email addresses) and enable multi-factor authentication where possible. For cryptocurrency users, transfer funds to a new wallet if any wallet connections were authorized via the fraudulent site. Report the domain to your organization's security team or local cybercrime units and consider blocking the IP 172.66.47.138 and domain at the network perimeter. Monitor financial accounts and cryptocurrency wallets for unauthorized transactions.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.47.138

## Detection Status
- VirusTotal: 10 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/355a787b-1e5f-4c19-bb13-05220d90b1e0
- PhishDestroy: https://phishdestroy.io/domain/sso-ledr-live.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/sso-ledr-live.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/sso-ledr-live.pages.dev/
Last updated: 2026-04-12