Intro: Imposter official-site entries are looking closer to the real site: domains differ by one or two characters, mirror pages copy the official colour scheme, and some even embed fake support. Here's a recognition checklist for similar domains and mirror pages.
Background: Phishing sites appear via search ads, social-media short links, or email buttons. On the surface, they look like download, update, or announcement pages — but the goal is to extract the recovery phrase or push a malicious file. Some mirror pages redirect multiple times, mixing resources from several domains.
Core breakdown:
1) Domain & certificate: the official site uses ledger.com (and legitimate subdomains). Fake domains may add dashes, digits, or extra letters. Check whether the certificate issuer matches the domain and watch for unexpected redirects.
2) Page behaviour: high-risk signals include "download firmware/extension" buttons pointing to external storage; pages asking you to disable security software; popups directly requesting the recovery phrase or verification code. The official site doesn't ask for these.
3) Resource sources: mirror pages often mix scripts and images from multiple domains — developer tools show lots of external requests. Official-site resources are more consolidated and auditable.
4) Propagation: fake entries often appear alongside "urgent update" or "airdrop claim" framing. Unfamiliar sources with high-urgency copy are a stop-and-verify cue.
Common misconceptions:
Q: Does the HTTPS padlock mean safe? A: Not necessarily — imposter sites can also get certificates. Check domain and certificate details.
Q: Is the top search result always the official one? A: Search ads can be abused. Manual URL entry or bookmarks are safer.
Q: Is an "offline patch" page legitimate? A: No. Official updates are delivered through Ledger Live only — websites don't serve firmware binaries.
Risk guidance: Before visiting, type the URL manually or use a bookmark. If an unfamiliar link shows up, screenshot it first and verify via official support. Any page requesting the recovery phrase or private keys is phishing — close it and rotate related credentials on a trusted device.
Safety reminder: We will never ask for your recovery phrase, PIN, verification codes, or private keys. Anyone requesting them is attempting fraud — do not share and do not proceed.
