defirisk.co
rubric v1.7.0

Protocol-impersonator domain registered (typosquat)

Chainlink CCIP's assessment for RD-F-161 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Process-learnings instruction: assess F161 first for top-tier DeFi brands; calculate registration-date-to-assessment-date delta explicitly. Multiple confirmed active typosquat and impersonator domains targeting Chainlink: (1) chnlink[.]xyz — active cryptocurrency drainer, confirmed by PCRisk; serving IP 104.21.96.1 (Cloudflare-proxied active site); mimics chain.link. (2) dashboard-chain[.]xyz — confirmed fake Chainlink site (PCRisk same report). (3) register-chain[.]link — confirmed fake airdrop domain mimicking chain.link (PCRisk Chainlink Airdrop Scam guide). (4) Fake bridge scam resulting in $520,000 LINK loss (Binance Square). WHOIS gap: DomainTools API not available in static dry run; exact registration dates not determinable for 90-day threshold calculation [?]. Assessment basis: multiple confirmed active fraud domains at different domain types (.xyz, .link subdomains, others); PCRisk removal guides indicate active operation post-2024; 'ChainLink phishing' technique evolution doc

Sources #

Methodology #

Determine whether a typosquat of the official protocol domain has been registered in the last 90 days.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol chainlink-ccip factor RD-F-161 score red collected_at 2026-05-16 01:55:09