# lido-finance.at — SUSPICIOUS

> Avoid lido-finance.at—a phishing site mimicking Lido Finance. The domain is offline, but stay alert and never share credentials on suspicious sites.

## Summary
PhishDestroy identifies lido-finance.at as a medium-risk brand impersonation phishing domain targeting users of the Lido Finance platform. This domain sought to deceive victims by mimicking the legitimate DeFi staking and swap service, potentially leading to credential theft or financial loss. The impersonation threat level is considered medium, given the domain's limited detection but presence on multiple blocklists.

The domain lido-finance.at was registered recently on March 11, 2026, and resolved to the IP address 104.21.52.3. VirusTotal analysis shows 4 out of 95 security vendors flagged this domain, reinforcing suspicion. Additionally, it appeared on three distinct security blocklists, indicating recognized malicious activity by various threat intelligence sources. The phishing page title "Lido Finance Platform 2026 - DeFi Staking & Swap" was crafted to align closely with the genuine Lido brand. The domain's infrastructure and age suggest an opportunistic attempt to exploit the growing DeFi user base.

Currently, lido-finance.at is offline, which helps reduce immediate exposure to potential victims. Users are strongly advised to remain vigilant and avoid interacting with this domain or any unsolicited links claiming association with Lido Finance. Security teams should maintain updated blocklists and educate users about brand impersonation risks. Continuous monitoring of similar domains is recommended to protect against future phishing campaigns leveraging trusted DeFi brands. The unique seed 76b720 underscores the need for bespoke detection methods as phishing tactics evolve.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: dead (HTTP 403)
- Page title: Lido Finance Platform 2026 - DeFi Staking & Swap

## Domain Intelligence
- Registered: 2026-03-11 15:07:01
- IP: 104.21.52.3
- IP Country: US
- IP City: San Francisco
- IP Org: AS13335 Cloudflare, Inc.
- Nameservers: ["arushi.ns.cloudflare.com", "wilson.ns.cloudflare.com"]
- SSL Issuer: Google Trust Services / WE1

## Detection Status
- VirusTotal: 4 vendors flagged
  Vendors: ["alphaMountain.ai", "SOCRadar", "ThreatHive", "Webroot"]
- Google Safe Browsing: clean
- Blocklists: 3 hits
  Lists: ["PhishDestroy", "MetaMask", "SEAL"]

## Evidence
- Screenshot: https://urlscan.io/screenshots/019ce201-658d-7508-b5e8-aa6469cac215.png
- PhishDestroy: https://phishdestroy.io/domain/lido-finance.at/
- LLM endpoint: https://phishdestroy.io/domain/lido-finance.at/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/lido-finance.at/
Last updated: 2026-03-19