# sta-rt-ledgor-io.pages.dev — SUSPICIOUS > sta-rt-ledgor-io.pages.dev mimics Ledger login to steal crypto. Hosted on Google Trust Services (IP 172.66.45.32), it remains undetected by VirusTotal (0/95). ## Summary PhishDestroy identifies an active phishing campaign operating from sta-rt-ledgor-io.pages.dev, a domain designed to impersonate the official Ledger hardware wallet login page. The threat type is classified as generic_phishing, with the specific objective of harvesting cryptocurrency wallet credentials and initiating unauthorized transactions. This domain leverages a deceptive landing page structure to mimic Ledger’s authentication flow, tricking users into entering their recovery phrases or private keys under the guise of a security update or account verification. The infrastructure suggests the use of a drainer kit, a specialized toolkit commonly employed in cryptocurrency phishing to automate the theft of digital assets. This domain resolves to IP 172.66.45.32 and is served via Cloudflare, Inc., a common tactic to obscure the true hosting origin. As of the latest scan, VirusTotal reports 0 detections out of 95 security engines, indicating that this domain has not yet been widely flagged by antivirus or threat intelligence platforms. The SSL certificate is issued by Google Trust Services, a legitimate provider, which may be exploited to lend an air of authenticity to the phishing site. The domain is a subdomain under pages.dev, a free hosting service provided by Cloudflare, which is frequently abused for short-lived phishing campaigns due to its low barrier to entry and temporary nature. The lack of detections and the use of legitimate infrastructure highlight the evolving tactics of threat actors to bypass traditional security measures. The current status of sta-rt-ledgor-io.pages.dev is active, with no confirmed takedown or blocklisting at this time. Immediate response actions include blocking the domain at the network level and updating firewall rules to prevent access from corporate or personal devices. Users are advised to verify the legitimacy of any Ledger-related communications by visiting the official website directly (ledger.com) and never through embedded links. The remaining risk is classified as under_investigation, as further analysis is required to determine the full scope of this campaign, including additional domains, IP addresses, or drainer kits involved. Given the domain’s undetected status and the high-stakes nature of cryptocurrency theft, this phishing campaign poses a significant threat to users who may unknowingly expose their wallet credentials. Proactive monitoring and user education on recognizing phishing attempts remain critical to mitigating this risk. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 172.66.45.32 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/e9aea8eb-e0a1-49ee-a1b5-b0a433710c15 - PhishDestroy: https://phishdestroy.io/domain/sta-rt-ledgor-io.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/sta-rt-ledgor-io.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/sta-rt-ledgor-io.pages.dev/ Last updated: 2026-03-22