Protocol-impersonator domain registered (typosquat)

Evidence summary #

Protocol-impersonator domain registered (typosquat) | Applicable: YES | At least 2 confirmed active wallet-drainer domains: (1) event-falconsfinance[.]com (vote rewards drainer, Oct 2025); (2) claim-falcon[.]app (airdrop drainer, Sep 29 2025, IP 213.111.144.132). Both documented by PCRisk as confirmed crypto wallet drainers impersonating falcon.finance. Red threshold met.

Detail #

Threshold: typosquat of official domain registered within last 90 days OR active wallet-drainer confirmed impersonating the protocol. Two distinct active drainer operations documented by PCRisk: (1) event-falconsfinance[.]com — impersonates falcon.finance; vote rewards theme; users invited to connect wallet to 'vote' on $FF reward dates from Treasury Pool Funds; activates drainer; distributed via fake/stolen X/Facebook accounts and rogue ad networks; PCRisk last updated Oct 2025. (2) claim-falcon[.]app — impersonates falcon.finance; airdrop theme; serving IP 213.111.144.132; close visual copy of official site; connects wallet → signs malicious contract → drains funds; PCRisk published Sep 29, 2025. Both represent confirmed active wallet-drainer sites with social-media distribution. The brand name 'falcon.finance' (short, memorable) and the $1.6B TVL make this a high-value impersonation target. No bug bounty or SIRT email published, leaving users without a reporting channel. Active drainers confirmed from 2 independent PCRisk documents: red threshold met.

Sources #

Methodology #

Determine whether a typosquat of the official protocol domain has been registered in the last 90 days.

See the full factor methodology and distribution across all protocols →