# wlt-ledger-starts.pages.dev — SUSPICIOUS

> wlt-ledger-starts.pages.dev is active as a crypto drainer targeting Ledger wallet users. VirusTotal scored it 0/95. Check the full report.

## Summary
Is wlt-ledger-starts.pages.dev Safe?

wlt-ledger-starts.pages.dev is a recently identified crypto drainer phishing domain masquerading as a Ledger wallet service. The page uses a Pages.dev subdomain to appear legitimate, leveraging Cloudflare Pages for hosting. The threat type is confirmed as a crypto drainer, designed to steal cryptocurrency by tricking users into connecting their wallets or entering seed phrases. No specific drainer kit hash or code repository was identified during initial analysis, but the domain's structure and SSL certificate suggest a coordinated campaign targeting Ledger users specifically. The use of a Pages.dev domain indicates an attempt to exploit legitimate cloud hosting services to bypass traditional blocklists.

This domain resolves to IP 172.66.44.221 and is registered through Cloudflare, Inc., which provides anonymity and makes takedown efforts more complex. The SSL certificate is issued by Google Trust Services, a tactic often used to create a false sense of security. VirusTotal currently shows 0 detections out of 95 scanners, indicating the domain is not yet widely recognized as malicious. The domain was created recently, though the exact creation date is not publicly available due to Cloudflare's privacy protections. As of this report, the domain has not been added to the Google Safe Browsing (GSB) list, and no blocklist entries were detected.

PhishDestroy identifies wlt-ledger-starts.pages.dev as an active and evolving threat, with low detection rates posing significant risk to uninformed users. The domain remains unblocked by major security vendors, allowing it to operate without immediate disruption. Response actions include ongoing monitoring and intelligence sharing with hosting providers and security vendors; however, Cloudflare's privacy protections and Pages.dev's hosting policies complicate rapid mitigation. Users are advised to avoid interacting with this domain, especially if prompted to connect wallets or enter seed phrases. Remaining risk is assessed as high due to low detection rates, targeted nature, and evasion tactics. Immediate action is required from security vendors to update blocklists and for users to exercise extreme caution with Ledger-related communications.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.44.221

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/17770f81-5cef-4178-8ac5-a4033e86e875
- PhishDestroy: https://phishdestroy.io/domain/wlt-ledger-starts.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/wlt-ledger-starts.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/wlt-ledger-starts.pages.dev/
Last updated: 2026-03-22