raydiumio.org: Confirmed Raydium Impersonation Scam

02

Forensic brief

auto-generated · PhishDestroy AI

Analyst brief · auto-generated

PhishDestroy identifies raydiumio.org as an active Raydium impersonation site designed to trick users into connecting crypto wallets and draining assets. The domain uses Raydium’s branding, layout, and crypto wallet integrations to create a convincing fake interface aimed at Solana ecosystem users seeking liquidity or trading services. No legitimate Raydium assets or infrastructure are involved. This is a confirmed crypto drainer kit targeting users via web and social engineering channels. The malicious domain leverages visual cloning and wallet connection prompts to authorize unauthorized token transfers and asset theft. Blockchain security teams should treat this as a high-fidelity threat to Solana DeFi users. This domain shows multiple red flags: it carries a VirusTotal detection score of 4/95 from leading security vendors, resolving to IP address 130.12.180.128. It was registered on May 14, 2026 through Dynadot Inc. and secured with a Let’s Encrypt SSL certificate. Google Safe Browsing (GSB) lists it as unsafe, and it appears on one security blocklist. Additionally, it is already blocked by MetaMask, indicating strong browser security responses. These technical indicators confirm active malicious hosting intended for fraudulent financial transactions. raydiumio.org remains an active threat vector with a currently elevated risk level. PhishDestroy assesses this as a live Raydium impersonation site actively monitored by threat intelligence platforms. Recommendations include blocking the domain at DNS and network levels, removing any links from forums or social platforms, and issuing advisories to Solana users. Despite partial containment via MetaMask and GSB, the risk persists due to its recent registration and ongoing accessibility. Users should verify official Raydium endpoints only via trusted channels—such as the ray-dium.io domain or Raydium’s verified social accounts—and avoid interacting with raydiumio.org entirely.

Brand Impersonation clean drainer brand: Raydium

03

Threat response pipeline

May 17, 2026 · 0 reports submitted

9/19

30+ Proprietary Parsers

Distributed scanning of Google Ads, SEO-manipulated results, Twitter/X, YouTube & Telegram campaigns.

Infrastructure Analysis

dnstwist & typosquatting detection against Raydium.

Community Intelligence

Real-time ingestion via Telegram Bot & partner intelligence feeds.

Threat Ingested

raydiumio.org detected and queued for full analysis.

May 17, 2026

51+ Vendor Submissions

Threat data submitted to 51+ security vendors & threat-intel platforms. 4 flagged this domain.

ChainPatrol alphaMountain.ai Chong Lua Dao Seclookup Spamhaus Cloudflare Google Safe Browsing Microsoft Security VirusTotal Netcraft ESET Bitdefender Norton Safe Web Avira Kaspersky Sophos Fortinet TrendMicro McAfee Forcepoint BlueCoat Quttera Yandex Safe OpenPhish PhishTank URLhaus SURBL Mimecast Proofpoint Webroot Comodo Avast AVG Malwarebytes Emsisoft F-Secure Panda Dr.Web GData ALYac Cyren Tencent Rising Baidu ClamAV Antiy Acronis AILabs CryptoScamDB ScamSniffer SEAL-ISAC

Cloudflare Radar

View scan — verdict: pending

VirusTotal

4 / 95 vendors flagged on VirusTotal.

Blocklist Detection

Found in 2 blocklists: MetaMask, PhishDestroy.

Forensic Evidence Collection

URLScan.io, URLQuery & Cloudflare Radar — DOM snapshots, HTTP transactions, DNS & certificate data.

Open Threat Database

Real-time commits to GitHub repository & live monitoring at phishdestroy.io/live.

Social Broadcasting

Automated alerts on X, Telegram & Mastodon.

Awaiting Takedown

Domain still active — monitoring & re-reporting continues. 0h since first report.

04

Evidence capture

urlscan snapshot · domain intelligence

Live Snapshot

2026-05-17 07:12 UTC

Malicious · 4/95 engines

IP: 130.12.180.128

Dynadot Inc

2d old

Let's Encrypt

View Full Size URLScan Report Wayback Download

Page Title

Raydium | Solana Dex

Favicon Hash

5d708f3be4b2a8592c37c7e97609ff2b

Domain Intelligence

Domainraydiumio.org

Registrar

Dynadot Inc(US)

Abuse contact abuse@virtualine.org

IP Address 130.12.180.128

ASN 202412 · Omegatech LTD

Registration Created 2026-05-14 11:29:01 2d

SSL Let's Encrypt · valid 88d · expires 2026-08-13

Hosting

Amsterdam , NL · Virtualine Technologies

Nameservers ns2.dyna-ns.net

Impersonates Raydium

Page title “Raydium | Solana Dex”

HTTP status 200 · redirects to raydiumio.org

External lookups ICANN RDAP ↗ WHOIS ↗ viewdns ↗rapiddns ↗ ICANN registrars ↗

Technical details DNS, hashes, case ID

Favicon hash5d708f3be4b2a8592c37c7e97609ff2b

SSL fingerprintc4cd2358635ce77c557da9b01f6ba3f5674179323ecd6133804756f9370305ff

URLScan UUID019e3493-194b-726c…

08

Public blocklist status

cross-vendor confirmation

2

Listed in 2 public blocklists — confirmed by independent sources

Sources with no listing are omitted.

MetaMask

LISTED

PhishDestroy

LISTED

10

VirusTotal consensus

95 vendors · 3-col matrix

4/95

vendors flagging

Partial detection

Aggregated detection across 95 security vendors.

Per-vendor breakdown not available — view raw report on VirusTotal ↗

11

Site performance

PageSpeed Insights · mobile

Site performance analysis

Google PageSpeed Insights — mobile audit of raydiumio.org

93

Good

Performance

FCP

2.59

First Contentful Paint

LCP

2.59

Largest Contentful Paint

CLS

0

Cumulative Layout Shift

TBT

0

Total Blocking Time

SI

3.21

Speed Index

12

Evidence & external reports

cross-reference this domain

Security Analysis

URLScanurlscan.io

VirusTotalvirustotal.com 4 det.

URLQueryurlquery.net S SSL Labsssllabs.com Valid

CF Radarradar.cloudflare.com S ScamAdviserscamadviser.com

OSINT & Intelligence

Shodanshodan.io Censyscensys.io ThreatFoxabuse.ch IntelXintelx.io crt.shcrt.sh WHOISwhois.com Waybackweb.archive.org

13

Related domain reports

same kit · same campaign

simpleswapdex.org

help-ledger.com

checkscrypto.com

manage-ledgrlive.pages.dev

totalitarianassignmentcpos.weebly.com

j58n.vip

Were you affected by this site?

immediate response · authorities

Were You Affected?

You are not alone and there is nothing to be ashamed of. Reporting is the most powerful weapon against fraud — your report can prevent others from becoming victims.

Chainabuse

Report crypto wallet or phishing URL

FBI IC3

Report internet crime (US)

Europol

Report cybercrime (EU)

Domain Appeal

Contest this listing

Beware of recovery scammers! No legitimate service will ask for upfront payment to recover stolen crypto. Learn more about recovery fraud →

15

Report to your local authorities

geo-aware · authorities · AI complaint

Your country (auto-detected)

Netherlands

Switch:

Fraudehelpdesk

Nationaal fraudemeldpunt

Politie NL

Aangifte cybercrime

Email template — registrar abuse

To: abuse@virtualine.org, abuse@dynadot.com Registrar: Dynadot Inc Case: PD-

To: abuse@virtualine.org, abuse@dynadot.com

Subject: Phishing domain abuse report — raydiumio.org (case PD-)

Hello Dynadot Inc,

I am reporting raydiumio.org as an active phishing/scam domain.

Findings (verified by PhishDestroy automated pipeline):
- VirusTotal detections: 4/95 security vendors
- Blocklists: listed on 2 public blocklists
- First reported: 2026-05-17 06:17 UTC
- Public dossier: https://phishdestroy.io/domain/raydiumio.org/
- Evidence (screenshot, redirect chain, DNS, WHOIS): https://phishdestroy.io/domain/raydiumio.org/?evidence=1
- JSON API: https://phishdestroy.io/api/domain/raydiumio.org.json

Per ICANN RAA §3.18, registrars are required to take reasonable and prompt steps to investigate and respond appropriately to reports of abuse. Please take immediate action to suspend this domain.

Thank you for your cooperation.
— Reporter (via phishdestroy.io)

Open in mail client Appeal (if false-positive)

Check Any Domain

Instant threat analysis with 50+ security engines & forensic evidence.

Scan Now

Report Phishing

Submit suspicious domains to our threat database — protect the community.

Report

Live Threat Feed

Real-time monitoring of active phishing campaigns & takedown progress.

Monitor

16

Embed this report

iframe · sizer · CC-BY

Embed this report

Drop a live, self-updating risk widget anywhere — blog, DAO forum, Discord webhook, X post. Free, no API key, CC-BY.

raydiumio[.]org 100/100 MALICIOUS · 4/95 VT · 0h View full report ↗

Live preview at 100% width

<iframe src="https://phishdestroy.io/domain/raydiumio.org/?embed=1" width="100%" height="160" frameborder="0" style="border:1px solid #1e293b;border-radius:12px;max-width:520px"></iframe>

Canonical: https://phishdestroy.io/domain/raydiumio.org/ JSON API llm.txt

17

About this report

methodology · appeals · API

About this report: raydiumio.org

This domain security report is maintained by PhishDestroy's automated threat-intelligence pipeline. Our system continuously monitors this domain across 95 security vendors on VirusTotal and 2 public blocklists.

The site displays a page titled “Raydium | Solana Dex”.

raydiumio.org has been flagged by 4 security vendors as of May 17, 2026.

If you believe this listing is inaccurate, you can submit an appeal. For more information about our methodology, visit our FAQ page.