DNS/CDN/frontend hash drift

Hyperliquid's assessment for RD-F-105 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

hyperliquid.xyz is the official frontend domain, served via Cloudflare. No confirmed DNS/CDN compromise at the official domain during the assessment period. HOWEVER: documented fake Google Ads campaigns leading to wallet-draining scams (claim-hyperliquid[.]xyz, hyperliquid[.]life) are confirmed in 2024-2025 (Phemex reporting). These are impersonator domains, not DNS drift on the official domain — RD-F-161 is the correct signal for impersonators. The fake Google Ads ecosystem elevates risk but does not trigger RD-F-105 (official domain drift) directly. Signal baseline not established; if monitoring were live, the fake ad campaigns constitute an elevated-risk context requiring establishment of a hash baseline. Score yellow due to active impersonation ecosystem creating persistent attack surface, even though the official domain itself has not been compromised.

Sources #

URL
https://radar.cloudflare.com/domains/domain/hyperliquid.xyzretrieved 2026-04-28
URL
https://phemex.com/news/article/fake-hyperliquid-ads-on-google-lead-to-walletdraining-scams-11125retrieved 2026-04-28

Methodology #

Detect whether the hash of production frontend JS changes versus the prior published hash, or a DNS config change is detected.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol hyperliquid factor RD-F-105 score yellow collected_at 2026-04-28 13:58:49