Protocol-impersonator domain registered (typosquat)
dYdX v4 (dYdX Chain)'s assessment for RD-F-161 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
CONFIRMED typosquat domain registration linked to the Jan 2026 supply-chain attack. Threat actor registered priceoracle.site on January 9, 2026, approximately 18 days before malicious package publication (Jan 27, 2026). The subdomain dydx.priceoracle.site served as the C2/exfiltration endpoint for the wallet stealer. Domain mimicked dYdX oracle infrastructure (dydx + priceoracle = dual brand deception). Domain status at reporting: server transfer prohibited / client hold — indicating seizure/lockdown. Additional historical context: Jul 2024 DNS hijacking targeted dydx.exchange domain (now migrated to dydx.xyz after Cloudflare registrar move) — demonstrates persistent pattern of dYdX-adjacent domain targeting.
Sources #
- URLDNS Nameserver Hijacking Postmortem — persistent domain targeting patterndYdX DNS hijacking postmortem — Jul 2024 dydx.exchange domain attacksretrieved 2026-05-17
- Compromised dYdX npm and PyPI Packages — typosquat domain analysisTheHackerNews — typosquat domain dydx.priceoracle.site in supply chain attackretrieved 2026-05-17
- Malicious dYdX Packages Published to npm and PyPI — domain registration analysisSocket.dev — priceoracle.site domain registered Jan 9, 2026; dydx.priceoracle.site C2 endpointretrieved 2026-05-17
Methodology #
Determine whether a typosquat of the official protocol domain has been registered in the last 90 days.
See the full factor methodology and distribution across all protocols →