Protocol-impersonator domain registered (typosquat)
Polymarket's assessment for RD-F-161 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Red-flag confirmed. Active and sustained impersonation campaign documented: (a) Phishing comment campaigns inside Polymarket market pages — Nov 2025 — redirected users to fake login pages, >$500k stolen (CoinSpot, Cryptopolitan); (b) 20+ fake repos on hijacked dev-protocol GitHub org impersonating Polymarket trading tools (StepSecurity, Feb 2026) — typosquatted npm packages stealing .env files; (c) CORS misconfiguration (wildcard origin + credentials=true) exploitable for cross-origin authenticated requests (Medium, Dec 2025). Specific WHOIS records for typosquat domains not retrieved (domain-monitoring feed required). Scored yellow (not red) because specific typosquat domain registrations are not confirmed via WHOIS — only confirmed phishing campaigns and impersonation repos. Would score red if domain-monitoring feed confirms active polymarket.com typosquat registrations.
Sources #
- URLA phishing scheme uncovered on Polymarket — users lost over $500,000CoinSpot — phishing scheme Nov 2025, >$500kretrieved 2026-04-29
- Polymarket's 2025 Security Wake-Up CallMedium — CORS misconfiguration + Next.js CVE-2024-51479retrieved 2026-04-29
- Malicious Polymarket Bot Hides in Hijacked dev-protocol GitHub OrgStepSecurity — dev-protocol GitHub hijacking, 20+ fake reposretrieved 2026-04-29
Methodology #
Determine whether a typosquat of the official protocol domain has been registered in the last 90 days.
See the full factor methodology and distribution across all protocols →