DNS/CDN/frontend hash drift
Meteora's assessment for RD-F-105 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Cat 6B exploit-in-progress signal (T-09 v1 phase-2 signal). Legitimate meteora.ag frontend appears stable as of 2026-05-16. Multiple confirmed Meteora-brand phishing/typosquat domains actively targeting users: (1) meteora-ag.org — registered 2026-02-21 via Dynadot LLC, first detected 2026-02-26, flagged by 5 security vendors including PhishDestroy/MetaMask/SEAL blocklists; (2) ag.meteora.gifts — registered 2026-02-21 (same day coordinated registration); (3) meteora.to — registered 2025-08-24 via Spaceship Inc, HTTP 530 but domain still live 173+ days post-abuse report; (4) meteora.tools — flagged by 1 security vendor as of 2026-04-27. PCRisk published 'Fake Meteora Website Scam' removal guide. The coordinated same-day registration of meteora-ag.org and ag.meteora.gifts suggests an organized phishing campaign. Signal applies to legitimate domain integrity monitoring; typosquat ecosystem elevates urgency of active monitoring.
Sources #
- URLmeteora.to — Is this a phishing threat?PhishDestroy meteora.to: registered 2025-08-24, HTTP 530 but 173 days post-report still without registrar action; HIGH risk phishing domain impersonating Meteoraretrieved 2026-05-16
- Fake Meteora Website Scam — Removal and Recovery StepsPCRisk: 'Fake Meteora Website Scam — Removal and recovery steps' — active user-facing phishing campaigns documentedretrieved 2026-05-16
- meteora-ag.org Investigation — Phishing DetectedPhishDestroy meteora-ag.org: registered 2026-02-21 via Dynadot LLC, detected 2026-02-26, listed on PhishDestroy/MetaMask/SEAL blocklists, flagged by 5 security vendorsretrieved 2026-05-16
Methodology #
Detect whether the hash of production frontend JS changes versus the prior published hash, or a DNS config change is detected.
See the full factor methodology and distribution across all protocols →