# hyper-liquidxyz.pages.dev — SUSPICIOUS > hyper-liquidxyz.pages.dev is a brand impersonation site flagged by 1/95 VirusTotal vendors. Impersonates Hyperliquid to deploy crypto drainers. ## Summary PhishDestroy identifies hyper-liquidxyz.pages.dev as an active brand impersonation domain targeting users of Hyperliquid, a decentralized exchange. This site masquerades as the official Hyperliquid platform to deceive victims into connecting cryptocurrency wallets, enabling fund draining via malicious smart contracts. The elevated risk is driven by the high likelihood of financial loss upon interaction, driven by fraudulent on-chain activity. Given the ongoing targeting of cryptocurrency platforms and the prevalence of crypto drainer malware in browser extensions and websites, this domain poses a significant threat to users engaged in digital asset trading or DeFi operations. Immediate detection and blocking are recommended to prevent wallet compromise. This domain was flagged by VirusTotal with a detection ratio of 1 out of 95 security vendors as of the latest scan. It resolves to IP address 172.66.44.85, operated by Cloudflare, Inc., which is serving as the registrar and hosting provider via Pages.dev infrastructure. The SSL certificate is issued by Google Trust Services, leveraging the default trust chain associated with *.pages.dev wildcard domains. The domain shows no signs of being included on major blocklists (e.g., PhishTank, OpenPhish, URLVoid) at this time, suggesting it may be newly deployed. The use of Cloudflare Pages indicates a low-cost, rapid deployment tactic commonly used by threat actors to host spoofed platforms for credential theft or crypto draining campaigns. To mitigate exposure to this threat, users should immediately cease all interactions with hyper-liquidxyz.pages.dev and verify any Hyperliquid-related links through official channels (e.g., official website, verified X/Twitter, or Discord). Enable wallet address verification and transaction simulation tools such as Revoke.cash or WalletConnect permission audits. Block the domain at the DNS and network level using enterprise or personal firewalls. Consider adding the IP 172.66.44.85 to blocklists. Users should also inspect browser extensions for unauthorized permissions and disable any unknown or suspicious wallet connectors. Report the domain to Hyperliquid’s official security team and contribute detection samples to threat intelligence platforms to aid in broader mitigation. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) - Target brand: Hyperliquid ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 172.66.44.85 ## Detection Status - VirusTotal: 1 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/hyper-liquidxyz.pages.dev - PhishDestroy: https://phishdestroy.io/domain/hyper-liquidxyz.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/hyper-liquidxyz.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/hyper-liquidxyz.pages.dev/ Last updated: 2026-04-09