# PhishDestroy threat dossier — starrt-ledger.pages.dev ================================================================ Fetched: 2026-05-04 22:43:52 UTC Canonical: https://phishdestroy.io/domain/starrt-ledger.pages.dev/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 87/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: Ledger ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/94 security vendors flagged this domain ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.96.3 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: CloudFlare, Inc. Registrar: Cloudflare, Inc. Nameservers: ishaan.ns.cloudflare.com, natasha.ns.cloudflare.com Registered: 2026-04-19 Page title: Ledger Start – Ultimate Guide to Secure Setup & Cryptocurrency Management HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-07-18 Status: INVALID chain Fingerprint: 91a50be92226adb99315093da09afd444b30a87107d1b43dca3edcba9ac23741 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-19 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-19 18:47:13 UTC (by PhishDestroy tracker) Last verified: 2026-04-27 19:40:08 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019da66b-2727-71b4-a264-5669ad9ba4d4/ Wayback Machine: https://web.archive.org/web/*/starrt-ledger.pages.dev crt.sh CT logs: https://crt.sh/?q=%25.starrt-ledger.pages.dev Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=starrt-ledger.pages.dev AlienVault OTX: https://otx.alienvault.com/indicator/domain/starrt-ledger.pages.dev URLhaus: https://urlhaus.abuse.ch/host/starrt-ledger.pages.dev/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-19 18:47:44 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies starrt-ledger.pages.dev as an active crypto drainer domain designed to intercept and drain cryptocurrency transactions from unsuspecting users. This domain operates under Cloudflare’s infrastructure and leverages a Google Trust Services SSL certificate to appear legitimate, masking its malicious intent. The threat actor behind this campaign has deployed a phishing page impersonating a legitimate crypto wallet interface, specifically targeting users attempting to access or manage digital assets. Technical analysis reveals that this domain resolves to IP address 188.114.96.3, a server often associated with malicious cryptocurrency-related activities. Currently, VirusTotal reports 0 detections out of 95 scans, indicating that traditional antivirus and security tools have not yet flagged this domain as malicious. This low detection rate highlights the evolving tactics of crypto drainers, which frequently bypass initial security checks by mimicking trusted services and using reputable infrastructure providers. The absence of detections should not be interpreted as a sign of safety; instead, it underscores the need for proactive verification by users. This domain was flagged as a crypto drainer with the unique seed identifier 4592c5, placing it under active investigation by cybersecurity researchers. The domain is registered through Cloudflare, Inc., a common choice among threat actors due to its robust infrastructure and anonymity protections. While the exact creation date of the domain is not publicly available, its association with a recently active crypto drainer campaign suggests it was established to capitalize on current trends in cryptocurrency phishing. The lack of detections on VirusTotal (0/95) is particularly concerning, as it demonstrates the domain’s ability to evade automated detection systems, at least temporarily. Additionally, the use of a Google Trust Services SSL certificate further complicates detection efforts, as users may assume the site is legitimate due to the presence of a padlock icon in their browser. The combination of Cloudflare’s infrastructure, a trusted SSL certificate, and low detection rates creates a deceptive facade that can easily mislead even cautious users. If you have visited starrt-ledger.pages.dev or interacted with this domain, take immediate action to secure your cryptocurrency assets and personal data. First, disconnect any device that may have accessed the site from the internet to prevent further unauthorized communication. Next, transfer any remaining cryptocurrency funds from wallets that may have been exposed to a new, secure wallet with a fresh private key. Enable multi-factor authentication (MFA) on all cryptocurrency exchange and wallet accounts, and consider using hardware wallets for added security. Review transaction histories on all blockchain networks for any unauthorized transfers, and report suspicious activity to the respective blockchain explorers or platforms. Finally, scan your device for malware using reputable antivirus software, as crypto drainers often deploy additional payloads such as keyloggers or trojans. To verify the safety of any URL in the future, use PhishDestroy’s domain verification tool, which cross-references domains against real-time threat intelligence databases. Always double-check URLs, especially those shared via unsolicited emails or social media messages, and avoid entering sensitive information on websites that lack a verified … ## EVIDENCE HASHES ---------------------------------------------------------------- TLS cert SHA-256: 91a50be92226adb99315093da09afd444b30a87107d1b43dca3edcba9ac23741 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/starrt-ledger.pages.dev/ JSON API: https://api.destroy.tools/v1/check?domain=starrt-ledger.pages.dev Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 145,673 domains (56,118 alive under monitoring, 89,295 confirmed takedowns/dead). Site: https://phishdestroy.io