# hyperliquidguide.pages.dev — SUSPICIOUS > WARNING: hyperliquidguide.pages.dev impersonates Hyperliquid with a crypto drainer kit. VT score: 0/95. Verify before interacting using PhishDestroy. ## Summary PhishDestroy has identified hyperliquidguide.pages.dev as an active crypto drainer domain impersonating the Hyperliquid brand. This fraudulent page uses a replica of Hyperliquid’s branding to trick users into connecting crypto wallets, with the malicious payload designed to drain funds without authorization. The domain leverages a Pages.dev subdomain under Cloudflare’s infrastructure, a common tactic to obfuscate hosting origins and evade detection by traditional security filters. Initial behavioral analysis suggests the drainer kit is likely a JavaScript-based client-side exploit targeting Web3 wallet integrations, specifically designed to intercept and manipulate transaction approvals. Technical indicators confirm this domain is a high-fidelity threat with minimal detection. VirusTotal currently shows 0/95 detections despite active hosting, indicating strong evasion against AV/EDR systems. The domain resolves to IP 172.66.44.162 via Cloudflare’s CDN, registered under Cloudflare, Inc., and secured with a Let’s Encrypt SSL certificate. Notably, this IP is part of Cloudflare’s ASN (AS13335), a frequent choice for threat actors due to its reliability in bypassing geo-blocking and IP-based defenses. The domain was registered recently and lacks presence in Google Safe Browsing (GSB) and major threat intelligence blocklists, enabling it to fly under the radar. This domain is currently active and under investigation by PhishDestroy’s threat intelligence team. Immediate defensive actions include domain takedown notifications to Cloudflare Trust & Safety and coordination with Hyperliquid’s security team to issue public advisories. While current risk is elevated due to zero detections and recent deployment, the threat remains confined to social engineering vectors (e.g., phishing emails, fake ads, or impersonated support links). Users are strongly advised to verify any Hyperliquid-related link using PhishDestroy’s URL checker or official sources before wallet interaction. The remaining risk is moderate-to-high and dependent on continued user exposure and propagation via social channels. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) - Target brand: Hyperliquid ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 172.66.44.162 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/8a4a6a8a-0441-450c-9bf4-a62783ddb1e7 - PhishDestroy: https://phishdestroy.io/domain/hyperliquidguide.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/hyperliquidguide.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/hyperliquidguide.pages.dev/ Last updated: 2026-03-22