Free hosting phishing: why Vercel URLs drain crypto wallets

The economics of free hosting phishing

Five years ago a phishing attacker who wanted a fake `ledger-live-update.com` had to register the domain, set up DNS, configure SSL, and deploy a server. Total cost was 10 to 30 dollars and a day or two of setup time. The cost itself was not a barrier, but every step left a trail that scanners could follow back. WHOIS records showed registration timing. SSL certificates appeared in certificate transparency logs. DNS records were public. Detection vendors built their entire reputation systems around exactly these signals.

Free hosting platforms broke that detection model overnight. A `*.vercel.app` subdomain is provisioned in seconds. The DNS record points at Vercel infrastructure, not at an attacker-controlled IP. The SSL certificate is issued by Vercel for `*.vercel.app` and is shared by every other site on the platform. The WHOIS lookup returns Vercel's data, not the attacker's. Every external signal that scanners use to flag a new domain is hidden behind the platform.

The same applies to Netlify (`*.netlify.app`), Cloudflare Pages (`*.pages.dev`), GitHub Pages (`*.github.io`), Surge (`*.surge.sh`), Firebase (`*.web.app`), Render (`*.onrender.com`), and a dozen smaller platforms. Each one offers free hosting on a shared subdomain that any scammer can claim in less time than it takes to brew coffee.

What the phishing setup actually looks like

The most common pattern is a fake hardware wallet helper site. A scammer registers something like `hardware-identity-ledger.vercel.app`, `ledger-recovery-app.vercel.app`, or `trezor-verify.vercel.app`. The page is a near-pixel copy of the real Ledger Live or Trezor Suite onboarding flow. It asks the user to "verify" or "import" their wallet by typing their 24-word recovery phrase into a form. The form sends those words to a server controlled by the attacker. Within minutes, the attacker has imported the wallet on their own machine and drained every asset they can find.

The variant that goes after software wallets does the same trick but skips the seed-phrase form. Instead it shows a `connect wallet` button that triggers a Web3 transaction. The transaction is usually a `setApprovalForAll`, an `eth_sign` of an opaque blob, or a Permit2 unlimited approval. Users who click confirm without reading the simulation are giving the attacker permission to move their tokens at any time in the future.

Recently we have also seen `*.vercel.app` URLs used for fake "hardware wallet identity badges" — pages that claim to verify a Twitter or X handle by tapping a hardware wallet device. These look harmless at first glance because they ask for a signature rather than a seed phrase, but the signature payload is often crafted to authorize a future malicious action elsewhere. The page itself does nothing useful. The signature it captures does the harm.

Why even legitimate crypto employees share these URLs

This is the part that surprises most people. We see verified employees at major hardware wallet companies post `*.vercel.app` URLs from their own personal accounts as side projects, hackathon experiments, or prototypes. They are not malicious. The intent is genuinely to share something they built. The problem is the precedent.

When a Twitter user with a verified Ledger badge or a Trezor employee tag shares `hardware-identity.vercel.app`, the user reading that tweet learns a very specific lesson: "Vercel URLs are safe if a Ledger employee shared them." That is the lesson the attacker counts on. The very next week, the attacker registers `hardware-identity-app.vercel.app`, posts the same kind of content from a fake account that uses similar branding, and the user clicks because they have already been trained to trust the pattern.

The fix on the legitimate side is simple. Hardware wallet companies and major DeFi protocols should publish all official tooling on their own `.com` subdomains, not on shared free hosting. `verify.ledger.com` is verifiable because the user can check the domain. `hardware-identity.vercel.app` is not verifiable because anyone can deploy any subdomain. The cost of moving an experiment from Vercel to a real subdomain is a few minutes of DNS configuration. The cost of training users that Vercel URLs are official is measured in drained wallets.

Why scanners and trust tools usually miss this

Most phishing detection products work by looking up the domain in a reputation database. For a fake site on a `*.vercel.app` subdomain that database lookup gives one of two answers. Either the lookup checks `vercel.app` itself, in which case the result is "trusted, large legitimate hosting provider." Or the lookup checks `hardware-identity-ledger.vercel.app` specifically and returns "no data, no history, possibly safe." Neither answer flags the page as phishing.

The detection that does work has to look at content, not at the domain. Specifically, three signals matter. First, does the page request a 12-word or 24-word recovery phrase. Second, does the page include a `connect wallet` flow that triggers a `setApprovalForAll` or unbounded Permit2 approval. Third, does the page render brand assets (Ledger logo, MetaMask fox, Trezor wordmark) on a domain that is not on the official allow-list of that brand.

This is the kind of detection logic that the SafeBrowz extension runs locally and that the SafeBrowz API exposes for wallet apps and AI agents to call. We track 500+ brands across 100+ languages, including hardware wallets like Ledger, Trezor, Tangem, OneKey, BitBox, Coldcard, NGRAVE, SecuX, KeepKey, and Ellipal. When any of those brand names appears on a free hosting subdomain that is not on the brand's official allow-list, the page is flagged as a brand-impersonation attempt before the user's wallet ever connects.

Is vercel.app safe? Is vercel app legit?

The honest answer is: Vercel itself is a legitimate, well-funded hosting platform used by thousands of real companies, and most `*.vercel.app` URLs are not phishing. The platform is safe in the same way that Gmail is safe. The platform itself is not the threat. The threat is that anyone can claim a `*.vercel.app` subdomain in five minutes, exactly like anyone can create a Gmail address. So the question "is vercel.app safe" has the same answer as "are Gmail addresses safe": the platform is fine, the specific sender is what you have to verify.

For crypto activity specifically the rule is stricter. If a `*.vercel.app` URL is asking you to import a wallet, sign a transaction, or enter a recovery phrase, treat it as malicious by default. Legitimate hardware wallet brands and DeFi protocols do not deploy production wallet flows on shared free hosting. They deploy on their own root domains where the SSL certificate, DNS records, and ownership trail can be verified. A `*.vercel.app` URL doing wallet operations is almost always a phishing setup, regardless of what the page text claims.

If you found a specific Vercel URL that you suspect is phishing and want to report it, Vercel runs an abuse-reporting flow at vercel.com/abuse. Cloudflare-hosted Pages can be reported at cloudflare.com/abuse. Netlify reports go to abuse@netlify.com. Each platform takes phishing reports seriously and typically takes the page down within hours of a verified report.

Red flags users can check in 5 seconds

• The URL ends in `.vercel.app`, `.netlify.app`, `.pages.dev`, `.github.io`, `.web.app`, `.surge.sh`, or `.onrender.com`. These are free hosting platforms. The legitimate page of any major hardware wallet, exchange, or wallet brand is never hosted on free shared infrastructure. The official page is on the brand's own root domain or a subdomain of it.
• The page asks for a 12-word or 24-word recovery phrase. No legitimate wallet ever asks for the recovery phrase outside the wallet's own offline UI. If a webpage is asking for it, it is a phishing page no matter how well-designed.
• The page asks you to "verify" or "import" your wallet to receive an airdrop, reward, or badge. This is a common social-engineering trigger. Legitimate airdrops do not require importing a wallet on a third-party site.
• The connect-wallet flow triggers a transaction you do not understand. If the wallet popup shows `setApprovalForAll`, `eth_sign` of opaque hex, or a Permit2 with an unlimited spender, treat it as malicious by default. Read the simulation. Reject if anything is unclear.
• The page is shared in a tweet, DM, Discord channel, or Telegram group with urgency wording. "You have 24 hours to verify." "Snapshot ends in 2 hours." Urgency is a phishing primitive. Legitimate brands do not give 2-hour windows on real activity.

What hardware wallet brands should do

If you work at a hardware wallet brand or DeFi protocol and you are reading this, the cleanest fix is also the cheapest. Publish all employee experiments, hackathon submissions, and prototype tooling on a subdomain you control. experimental.<brand>.com, labs.<brand>.com, or verify.<brand>.com all work. Reserve the subdomains. Add them to your DMARC, SPF, and DKIM records. Train every employee to use those for any side project that gets shared publicly.

The user-side benefit is enormous. Once a brand consistently publishes on its own domain, users can be trained to verify by domain. "Always check that the URL ends in `.com`" becomes a usable rule. Right now it is unusable, because the brand's own employees are sharing `.vercel.app` URLs and asking users to trust them.

How SafeBrowz handles free-hosting phishing

The SafeBrowz extension treats any URL on a free hosting subdomain that contains a tracked brand keyword as a high-risk page. The page is held until the on-page content is checked for brand-impersonation indicators. If the page renders the Ledger logo, asks for a recovery phrase, or attempts a wallet-connect that requests a high-risk approval, the page is blocked with a full-screen warning before the user can interact.

The detection works on every Chromium browser (Chrome, Edge, Brave, Opera, Vivaldi, Arc), on Firefox desktop and Firefox for Android, and on Microsoft Edge for Android. The free tier covers all of the above. The Premium tier adds AI deep-scan for brand-impersonation patterns the local rules do not cover yet, plus wallet-drainer JavaScript signature detection (Inferno, Pink, Angel, MS, Atomic) that catches the actual transaction-trigger code.

The same detection engine is also exposed as a public API at api.safebrowz.com/v1/detect, so wallet apps and AI agents can check any URL before letting a user click. The first 0.001 USDC per request is paid via x402 on Solana or Base — no signup required. Enterprise Bearer keys are available on request for high-volume integrators.

The bigger picture

Free hosting phishing is not a Vercel problem or a Netlify problem. It is a structural problem with shared subdomains as a primitive. Every platform that lets anonymous users claim a subdomain on a trusted parent zone creates a phishing surface, no matter how legitimate the parent zone is. Cloudflare Workers, Replit, Render, Fly.io, AWS Amplify — the list is long and getting longer. Crypto users should treat any URL on any of these platforms with the same skepticism they would apply to a brand-new `.xyz` domain.

If a hardware wallet, exchange, or major DeFi protocol is asking you to do something that involves your funds, the URL must end in that brand's own root domain. Not a free subdomain that imitates it. Not a shortener. Not a QR code from a stranger. The brand's own root domain. That is the only verification step that scales.

Block free-hosting phishing pages before you click

SafeBrowz is a free browser extension for Chrome, Firefox, and Edge that blocks fake hardware wallet pages, fake login forms, and known crypto drainer domains in real time. It works on free hosting subdomains, fresh-domain registrations, and disposable scam TLDs alike. Premium adds wallet drainer JavaScript detection for $14.99 per year. The core protection is free forever.