# ethfoundation.icu — SUSPICIOUS

> Discover why ethfoundation.icu is flagged for Ethereum impersonation. Insights on its infrastructure, risk, and current offline status.

## Summary
PhishDestroy identifies ethfoundation.icu as a medium-risk phishing domain engaged in brand impersonation targeting Ethereum. The domain’s page title, "Governing Realtime Ethereum | ETHGas Foundation," attempts to mimic Ethereum-related services, misleading visitors into believing it is an official platform. Classified under brand impersonation, this site aimed to exploit the Ethereum name and trust associated with the cryptocurrency community.

Technically, ethfoundation.icu resolved to IP address 188.114.96.3 and was registered through PDR Ltd. d/b/a PublicDomainRegistry.com on March 12, 2026. Although only three out of ninety-five security vendors on VirusTotal flagged this domain, it appears on two separate security blocklists, supporting suspicion of malicious intent. The domain’s registration through a generic registrar and its relatively recent creation date further raise red flags. The use of the “.icu” top-level domain, often favored by malicious actors due to its low cost and lax registration policies, also contributes to its risk profile.

Currently, the domain ethfoundation.icu is taken offline, halting any ongoing phishing activity connected to it. Despite limited direct detections, the combination of technical indicators, blocklist appearances, and brand impersonation tactics warranted defensive action. PhishDestroy recommends continued monitoring for potential reuse or related domains mimicking Ethereum, as threat actors frequently cycle through similar domains to maintain fraudulent campaigns.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: dead (HTTP 0)
- Target brand: Ethereum
- Page title: Governing Realtime Ethereum | ETHGas Foundation

## Domain Intelligence
- Registered: 2026-03-12 17:07:01
- Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
- Country: IN
- IP: 188.114.96.3
- IP Country: US
- IP City: San Francisco
- IP Org: AS13335 Cloudflare, Inc.
- Nameservers: elaine.ns.cloudflare.com owen.ns.cloudflare.com
- SSL Issuer: none

## Detection Status
- VirusTotal: 3 vendors flagged
  Vendors: ["alphaMountain.ai", "Forcepoint ThreatSeeker", "SOCRadar"]
- Google Safe Browsing: clean
- Blocklists: 2 hits
  Lists: ["PhishDestroy", "MetaMask"]

## Evidence
- Screenshot: https://i.ibb.co/ZzVdGt72/f998f1aa19c2.png
- Cloudflare Radar: https://radar.cloudflare.com/scan/5e95a8fb-f740-4548-b67c-5665fd33ac54
- PhishDestroy: https://phishdestroy.io/domain/ethfoundation.icu/
- LLM endpoint: https://phishdestroy.io/domain/ethfoundation.icu/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/ethfoundation.icu/
Last updated: 2026-03-19