# eth-curve.co — SUSPICIOUS > eth-curve.co impersonates Curve.finance to steal credentials. VT 0/95 undetected, registered April 2026, resolves to 130.12.180.128. ## Summary PhishDestroy identifies eth-curve.co as an active brand-impersonation threat targeting Curve users by mimicking the legitimate Curve.finance website. The domain uses a deceptive spelling variation to lure victims into entering private keys or seed phrases, risking fund theft. This tactic exploits user trust in Curve's reputation through a visually similar interface. The current risk level is flagged as under_investigation, but immediate caution is warranted due to the high potential for credential harvesting and financial loss. This domain was flagged by trust scoring systems due to its malicious impersonation of Curve.finance. Key technical indicators include registration through Dynadot Inc on April 06, 2026, resolution to IP address 130.12.180.128, and possession of a Let's Encrypt SSL certificate. VirusTotal scans show 0/95 detections, indicating it remains undetected by most antivirus engines as of current analysis. The page title displayed is 'Curve.finance', further reinforcing the deception. Domain age is extremely low (created in 2026), which is atypical for legitimate financial platforms and often correlates with malicious intent. Despite no confirmed blocklist inclusions at this time, the combination of technical markers demands urgent scrutiny. To mitigate brand-impersonation risks from eth-curve.co, all users must immediately stop visiting the domain and report it to their security teams or browser vendors. Block the domain at DNS and network levels using firewall rules targeting IP 130.12.180.128 and domain eth-curve.co. Verify all bookmarks and wallet connections by cross-referencing official Curve.finance endpoints (verified via Curve’s official social channels and documentation). Enable 2FA on Curve accounts and educate teams to scrutinize domains for subtle misspellings. Consider submitting the domain to threat intelligence platforms like VirusTotal or URLVoid for community-wide protection. Organizations should implement DNS filtering policies to block newly registered domains mimicking high-value brands like Curve within the first 30 days of registration, particularly when SSL certificates are obtained rapidly via issuers like Let's Encrypt, as observed here. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) - Target brand: Curve - Page title: Curve.finance ## Domain Intelligence - Registered: 2026-04-06 10:32:59 - Registrar: Dynadot Inc - IP: 130.12.180.128 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/eth-curve.co - PhishDestroy: https://phishdestroy.io/domain/eth-curve.co/ - LLM endpoint: https://phishdestroy.io/domain/eth-curve.co/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/eth-curve.co/ Last updated: 2026-04-06