# PhishDestroy threat dossier — wwvv-laedger.vip ================================================================ Fetched: 2026-07-08 19:41:50 UTC Canonical: https://phishdestroy.io/domain/wwvv-laedger.vip/ ## VERDICT ---------------------------------------------------------------- HIGH THREAT — malicious activity confirmed Composite threat score: 66/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 1/91 security vendors flagged this domain Flagging vendors: Fortinet AlienVault OTX: 1 pulses (threat-intel feed mentions) Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.67.168.174 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED !!! REGISTRAR INTEGRITY ALERT — NiceNIC !!! NiceNIC International: over 90% of its registered domains are associated with illegal content; documented systematic abuse-report non-response. Primary sources: https://phishdestroy.io/nicenic-real https://phishdestroy.io/nicenic-verdict Nameservers: arushi.ns.cloudflare.com, louis.ns.cloudflare.com Registered: 2026-07-08 Expires: 2027-07-08 Page title: Access Restricted HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE1 Expires: 2026-10-06 Status: INVALID chain Fingerprint: 5b01196a9abf06e9bcd1bdbfb7d53d4488e12b6e602fb38974e1d5347ec6bb15 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-07-08 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-08 18:43:51 UTC (by PhishDestroy tracker) Last verified: 2026-07-08 21:00:05 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f429c-a561-7593-9ed5-93b498fd5a2b/ URLQuery: https://urlquery.net/report/e7339097-f012-44cd-a46b-b247d9ec427c Wayback Machine: https://web.archive.org/web/*/wwvv-laedger.vip crt.sh CT logs: https://crt.sh/?q=%25.wwvv-laedger.vip Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=wwvv-laedger.vip AlienVault OTX: https://otx.alienvault.com/indicator/domain/wwvv-laedger.vip URLhaus: https://urlhaus.abuse.ch/host/wwvv-laedger.vip/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-08 18:44:32 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, wwvv-laedger.vip, poses a specific brand impersonation threat aimed at cryptocurrency users, particularly those associated with Ledger hardware wallets. The domain name mimics the legitimate Ledger service by substituting letters (e.g., 'vv' for 'l' and 'vip' for 'live'), a common tactic to deceive users into entering sensitive credentials or recovery phrases. The page displays an 'Access Restricted' title, which may serve as a psychological trigger to prompt users to take action, such as clicking a verification link or downloading malicious software. This infrastructure is designed for credential theft and potential crypto asset compromise, not generic phishing. Analysis reveals concrete technical indicators: the domain was registered through NICENIC INTERNATIONAL GROUP CO., LIMITED on July 08, 2026, a recent creation date consistent with disposable phishing infrastructure. VirusTotal reports 0 out of 95 security vendors detecting the domain, meaning it has not been flagged by automated scanning tools yet. The domain resolves to IP address 172.67.168.174, hosted behind Cloudflare, which uses Google Trust Services for SSL encryption. No blocklist entries are currently associated with this domain, further underscoring its low detection profile. The unique seed bd6393 ties this analysis to a specific campaign tracking identifier. Users who have visited wwvv-laedger.vip should immediately disconnect from the internet and run a full antivirus scan on their device. They should change passwords for any accounts potentially accessed from that device, especially cryptocurrency exchange or wallet passwords, using a clean, uncompromised system. If any credentials or recovery phrases were entered on the site, users should transfer crypto assets to a new wallet generated on a secure device and enable two-factor authentication across all financial accounts. Monitoring bank and crypto accounts for unauthorized transactions over the next 90 days is strongly advised. [Updates since narrative was generated:] - Public blocklists: now listed on 3 feeds ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: a39fe1a1d8d11b1cc8022b6815f037ad TLS cert SHA-256: 5b01196a9abf06e9bcd1bdbfb7d53d4488e12b6e602fb38974e1d5347ec6bb15 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/wwvv-laedger.vip/ JSON API: https://api.destroy.tools/v1/check?domain=wwvv-laedger.vip Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 176,311 domains (13,433 alive under monitoring, 161,879 confirmed takedowns/dead). Site: https://phishdestroy.io