# curvefinance.co — MALICIOUS

> PhishDestroy identifies curvefinance.co as a brand impersonation crypto drainer mimicking Curve. VirusTotal flags 5/95 vendors.

## Summary
PhishDestroy identifies curvefinance.co as a deceptive domain engaged in active brand impersonation of Curve, a prominent decentralized finance protocol. The site operates as a crypto drainer designed to trick users into authorizing malicious transactions that drain assets from connected wallets. This tactic is frequently employed in Web3 ecosystems to exploit trust in well-known brands and facilitate irreversible financial theft. No evidence suggests use of a custom drainer kit; however, the domain’s infrastructure and operational behavior align with known cryptocurrency theft campaigns targeting DeFi users.

Technical indicators of this domain are highly suspicious and consistent with malicious activity. Registered through Dynadot Inc on February 09, 2026, the domain resolves to IP address 130.12.180.128. VirusTotal analysis shows 5 out of 95 security vendors have flagged this domain as malicious. It is blocked by seven prominent security systems including Polkadot, Codeesura, CryptoFirewall, SEAL, and Enkrypt. Additionally, it is listed on multiple threat intelligence blocklists. The domain holds a valid SSL certificate issued by Let’s Encrypt, which is commonly abused to appear legitimate and evade detection by casual users.

At present, curvefinance.co remains active and accessible, posing an elevated risk to cryptocurrency users. Blocking efforts by major security platforms indicate recognition of the threat, but the domain continues to operate. Users should immediately avoid interacting with this domain and remove it from bookmarks or search results. The combination of recent registration, high blocklist presence, low detection ratio, and impersonation of a trusted DeFi brand suggests a high likelihood of ongoing attacks. To mitigate risk, users are advised to verify URLs through official Curve channels, use hardware wallets for sensitive transactions, and consult real-time threat feeds such as PhishDestroy for updates.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)
- Target brand: Curve

## Domain Intelligence
- Registered: 2026-02-09 14:18:11
- Registrar: Dynadot Inc
- IP: 130.12.180.128

## Detection Status
- VirusTotal: 5 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 7 hits
  Lists: ["Polkadot", "Codeesura", "CryptoFirewall", "SEAL", "Enkrypt", "MetaMask", "ScamSniffer"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/16293eca-9038-4522-b27b-f4de0e9a6d4e
- PhishDestroy: https://phishdestroy.io/domain/curvefinance.co/
- LLM endpoint: https://phishdestroy.io/domain/curvefinance.co/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/curvefinance.co/
Last updated: 2026-03-24