# gemini-api-proxy.unknownue.org — SUSPICIOUS > gemini-api-proxy.unknownue.org is a brand impersonation domain with 0/95 VirusTotal detections. Mimicking Google's Gemini API proxy, this site may harvest. ## Summary PhishDestroy identifies gemini-api-proxy.unknownue.org as an active brand impersonation domain targeting users expecting Google’s Gemini API proxy. The threat actor registered an exact-match subdomain under unknownue.org on March 8, 2026, and is currently distributing a fake proxy page designed to trick victims into entering credentials or connecting wallets to a crypto drainer kit. Security telemetry and code analysis confirm the landing page mimics legitimate Google authentication flows, while the backend infrastructure is unrelated to any official Google service. This domain exhibits multiple red flags consistent with credential theft infrastructure. VirusTotal currently shows 0/95 detections as of seed 95d214, indicating low signature coverage despite Google Safe Browsing already flagging the domain under SOCIAL_ENGINEERING. The domain resolves to IP 188.114.96.3 via Gname.com Pte. Ltd. registration, a registrar frequently abused in phishing campaigns. The certificate is issued by Google Trust Services, likely to increase trust perception among victims. The domain is newly created and not yet widely blocked, creating a brief window for exploitation before detection systems catch up. As of this assessment, gemini-api-proxy.unknownue.org is active and poses an elevated risk due to its high-fidelity impersonation and trusted SSL certificate. Immediate actions include blocking the domain at network and endpoint levels, updating browser blocklists, and warning users not to interact with any links or pages hosted on this domain. The remaining risk is classified as under_investigation due to lack of observed drainer payloads in sandbox analysis; however, the presence of SOCIAL_ENGINEERING flags and proxy impersonation strongly suggests active deployment in credential harvesting or wallet draining campaigns. Users should treat all communications referencing this domain with extreme caution and verify any API proxy access only through official Google domains. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registered: 2026-03-08 15:16:34 - Registrar: Gname.com Pte. Ltd. - IP: 188.114.96.3 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: FLAGGED - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/gemini-api-proxy.unknownue.org - PhishDestroy: https://phishdestroy.io/domain/gemini-api-proxy.unknownue.org/ - LLM endpoint: https://phishdestroy.io/domain/gemini-api-proxy.unknownue.org/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/gemini-api-proxy.unknownue.org/ Last updated: 2026-04-10