# hyperliquid.club — MALICIOUS

> hyperliquid.club is a confirmed brand impersonation site masquerading as Hyperliquid. Security vendors flag it with 14/95 detections.

## Summary
PhishDestroy identifies hyperliquid.club as an active brand impersonation phishing domain targeting Hyperliquid users. The domain employs a crypto drainer kit designed to mimic Hyperliquid’s official interface and deceive visitors into connecting their wallets or entering credentials, likely resulting in fund theft or account takeover. This threat leverages visual replication of Hyperliquid’s branding, UI structure, and domain naming (using the ‘club’ TLD to suggest exclusivity or community), a common tactic among crypto-related phishing campaigns to exploit user trust and urgency. The site’s infrastructure is engineered to harvest private keys, seed phrases, or wallet signatures under the guise of authentication or transaction verification. Threat intelligence indicates this is part of a growing trend of impersonation sites targeting decentralized finance (DeFi) and liquidity protocol users.

Technical indicators confirm elevated risk: the domain was registered on December 04, 2025, through Dynadot Inc., resolving to IP 54.215.31.113. VirusTotal analysis shows 14 out of 95 security vendors flag the domain, with detection names including crypto-drainer and brand-impersonation heuristics. The SSL certificate is issued by Let's Encrypt, a common choice among threat actors due to its low cost and ease of issuance. Google Safe Browsing (GSB) does not currently list the domain, and the site appears on one public blocklist curated by ScamSniffer. The domain’s recent creation (within the last month) and association with a known crypto security watchdog (ScamSniffer) underscores its high-risk, novel nature.

Current status of hyperliquid.club is active and unblocked by major browsers, though it is flagged by specialized threat feeds and security tools. Immediate response includes blocking the domain at network and DNS levels, removing saved credentials or wallet connections, and reporting the domain to Google Safe Browsing, PhishTank, and the target brand (Hyperliquid) via their official abuse channels. Users are advised to verify all URLs before interacting, use hardware wallets for sensitive transactions, and enable multi-factor authentication where available. Although this domain is not widely propagated via spam or large-scale ads, its presence in curated threat intelligence sources highlights a latent but serious risk to cryptocurrency users seeking liquidity solutions. Remaining risk is elevated due to the domain’s active status, recent deployment, and alignment with known crypto drainer tactics. Continuous monitoring is recommended as new variants or related domains may emerge.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)
- Target brand: Hyperliquid

## Domain Intelligence
- Registered: 2025-12-04 00:17:20
- Registrar: Dynadot Inc
- IP: 54.215.31.113

## Detection Status
- VirusTotal: 14 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 1 hits
  Lists: ["ScamSniffer"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/e8c5d6d6-7c82-4e05-9448-d3ec74995103
- PhishDestroy: https://phishdestroy.io/domain/hyperliquid.club/
- LLM endpoint: https://phishdestroy.io/domain/hyperliquid.club/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/hyperliquid.club/
Last updated: 2026-03-28