Social-media impersonation scam spike

Chainlink CCIP's assessment for RD-F-109 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Persistent and confirmed brand impersonation activity. (1) Official Chainlink Discord compromised 2024-09-03: phishing link posted; community warned via Twitter; never officially acknowledged by Chainlink; total victim losses unknown but wallet-drain mechanism confirmed active. (2) chnlink[.]xyz: confirmed active fake Chainlink site operating as cryptocurrency drainer (PCRisk documented; serving IP 104.21.96.1). (3) register-chain[.]link: confirmed fake airdrop mimicking Chainlink (PCRisk). (4) dashboard-chain[.]xyz: confirmed fake Chainlink site. (5) Fake CCIP bridge scam resulting in $520K LINK loss documented (Binance Square). (6) ChainLink phishing technique using trusted service chains documented by BleepingComputer and SecurityQuotient. Score: yellow — ongoing elevated impersonation activity; one confirmed Discord compromise incident; no spike uniquely targeting CCIP as a pre-strike reconnaissance pattern. Persistent structural threat.

Sources #

URL
ChainLink Official Discord Phishing LinksChainlink Discord phishing 2024-09-03 — official Discord compromised; phishing link posted; wallet drainer risk activeretrieved 2026-05-16
URL
Fake Chainlink Website Scam — PCRiskPCRisk: chnlink[.]xyz — confirmed fake Chainlink wallet drainer siteretrieved 2026-05-16
URL
ChainLink Phishing: How Trusted Domains Become Threat VectorsBleepingComputer: ChainLink Phishing — exploitation of trusted infrastructure chains for credential harvestingretrieved 2026-05-16

Methodology #

Detect a sharp uptick in Discord/Telegram/X accounts impersonating the protocol team or announcing fake airdrops.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol chainlink-ccip factor RD-F-109 score yellow collected_at 2026-05-16 01:55:09