defirisk.co
rubric v1.7.0

Social-media impersonation scam spike

A real-time signals factor in the v1.7.0 rubric. Measured per protocol on a rt cadence.

Methodology how we score #

**What this measures** This real-time signal fires when a sharp uptick in Discord, Telegram, or X (Twitter) accounts impersonating the protocol team or announcing fake airdrops, token migrations, or emergency wallet-connection prompts is detected. The signal is generated by social-media monitoring feeds tracking keyword-based impersonation patterns and verified-account impersonation on major platforms. Category 6 context: social-media impersonation scams are not structural exploits — they do not compromise on-chain contracts — but they are often paired with frontend phishing attacks and can serve as a distraction or amplification layer for a concurrent on-chain exploit.

**Why it matters** Social-media impersonation spikes are documented as co-occurring signals in several dataset incidents. Badger DAO ($120M) saw impersonation and phishing activity concurrent with the frontend compromise. The Infini incident ($49.5M) involved a rogue developer with insider access, where social channels were a parallel attack vector. More broadly, fake airdrop scams have directly drained user wallets across dozens of smaller protocols. While the signal's connection to structural protocol risk is weaker than on-chain signals, a sudden coordinated impersonation campaign targeting a protocol is often a leading indicator of a coordinated attack across multiple vectors.

**Green / Yellow / Red** Green is the baseline when social-media monitoring shows no unusual pattern of impersonation accounts or fake-airdrop announcements related to the protocol. Yellow fires when a moderate increase in impersonation accounts is detected — consistent with a targeted phishing campaign but without evidence of coordinated escalation. Red fires when a sharp spike in coordinated impersonation activity is detected across multiple platforms simultaneously, particularly if the messaging is consistent with a specific false announcement (token migration, emergency wallet reconnection) that could trigger user wallet-connection actions.

**Common gray cases** Gray applies when the social-media monitoring feed does not cover a platform where the protocol's community is primarily active, or when the protocol does not have a significant social media presence making baseline-setting unreliable.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Detect a sharp uptick in Discord/Telegram/X accounts impersonating the protocol team or announcing fake airdrops.

Data & output #

Data source
Social-media monitoring feed (Bolster/PhishFort/Chainabuse or equivalent) + keyword/handle pattern matching
Output format
Green / Yellow / Red
Evidence artifact
Flagged account list + platform + report source + timestamp
Confidence signal
green = signal not firing; yellow = 1–2 impersonation accounts detected (normal noise); red = coordinated campaign (≥5 accounts or verified drain reports); gray = social monitoring not configured

Scored protocols 80 carry this factor #

Protocol RD-F-109
Aave v3 ethereum not_assessed Across Protocol ethereum gray Aerodrome Finance base yellow Axelar Network ethereum gray Babylon Protocol bitcoin yellow Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum gray BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum gray Chainlink CCIP ethereum yellow Circle USYC binance gray Compound V3 (Comet) ethereum gray Concrete ethereum gray Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum yellow deBridge ethereum gray Dolomite ethereum gray dYdX v4 (dYdX Chain) dydx yellow EigenLayer ethereum yellow Ethena ethereum yellow ether.fi ethereum yellow Euler V2 ethereum not_assessed Falcon Finance ethereum yellow Fluid ethereum green Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum gray Hyperlane ethereum gray Hyperliquid arbitrum yellow Jito solana not_assessed Jupiter solana not_assessed Jupiter Perpetual Exchange solana yellow JustLend DAO tron yellow Kamino Lend solana green Kinetiq hyperliquid yellow Lido ethereum gray Liquid Collective (LsETH) ethereum yellow Liquity V1 + V2 (LUSD / BOLD) ethereum gray Lista DAO bsc yellow Lombard Finance ethereum yellow M^0 ethereum green Maple Finance ethereum yellow Marinade Finance solana yellow Meteora solana yellow mETH Protocol ethereum not_assessed Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum yellow Ondo Finance ethereum green OpenEden ethereum gray Orca solana yellow PancakeSwap bsc not_assessed Pendle Finance ethereum not_assessed Polymarket polygon not_assessed QuickSwap polygon gray Raydium solana not_assessed Rocket Pool ethereum yellow Sanctum solana yellow Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum gray Spark Protocol ethereum yellow Spiko stellar not_assessed Stake DAO ethereum gray StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron yellow Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum yellow Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum yellow USDD (Decentralized USD) tron yellow Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum gray Venus Protocol bsc not_assessed Wormhole ethereum green Yearn Finance ethereum yellow
0 red · 35 yellow · 8 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-109 category 6 carried 80 critical no