When the security tool becomes the target
How PhishFort protects Revoke.cash users from impersonation campaigns built to strike at the most exploitable moment in crypto: the DeFi panic window.
A trusted security tool weaponised against its own users
Revoke.cash is one of the most trusted tools in the DeFi security stack. Users go to it during moments of fear: after an exploit warning, a protocol hack, or a security advisory. That use pattern makes it an unusually attractive target for impersonation.
A user searching for Revoke.cash during an active panic is the most exploitable user in crypto. They are already alarmed, already intent on taking action, and already primed to connect their wallet somewhere fast. Threat actors understand this well.
Rosco Kalis, founder of Revoke.cash, recognised early that the brand’s own trustworthiness was being turned against its users. The tool’s reputation for protecting wallets was the very thing that made fake versions of it so effective.
Over 60 domains, coordinated campaigns, and attacks timed to real panic moments
PhishFort’s monitoring identified a consistent and evolving attack infrastructure built specifically around the Revoke.cash brand:
Typosquats
revokecash.com, revokie.cash, revuke.cash, revolecash.netHyphenated
revoke-cash.app, revoke-cash.pro, revoke-cash.storeSubdomain bolted
revoke.securemycash.xyz, revoke.cash-app.financeVersion lures
revoke-v3.cash, exploiting protocol upgrade anxietyBeyond domains, PhishFort identified coordinated social amplification through fake accounts impersonating ZachXBT, CertiK, and protocol security teams, spreading fabricated exploit warnings that linked directly to fake Revoke interfaces. Fake DeFi tutorial blogs hosted on Vercel, GitHub Pages, and similar trusted infrastructure were also used to surface these pages in search results.
Most domains were registered weeks or months in advance, then deployed within hours of a real or fabricated DeFi exploit going viral. It is a deliberate dormancy strategy, specifically designed to slip past reactive monitoring.
Working side by side with the Revoke.cash team
PhishFort’s engagement with Revoke.cash goes beyond automated monitoring. The teams work in close coordination, sharing intelligence on emerging campaign patterns, aligning on takedown priorities, and making sure that every activation of dormant infrastructure gets an immediate response.
That proximity matters. In a threat environment where attacks are timed to real-world events, response speed depends as much on the strength of the working relationship as on the technology itself.
Four layers of continuous monitoring, built to stay ahead of the attack
Standard phishing protection assumes users arrive at a site under normal conditions. Protecting Revoke.cash meant building for something different: a threat environment where panic itself is the attack vector.
Pre-registration domain surveillance
Infrastructure enumeration on dormant domains
Social media impersonation tracking
Coordinated takedown execution
Zero successful large-scale campaigns during the monitoring period
“PhishFort has been instrumental in protecting our users from the fake Revoke.cash sites that appear every time there’s a DeFi scare. The proactive monitoring means we’re not constantly playing catch-up. Threats are identified and actioned before most users even see them.”
The Revoke.cash case makes clear why DeFi brands need continuous monitoring rather than coverage that only kicks in after something goes wrong. The infrastructure used to impersonate trusted security tools is sophisticated, patient, and deliberately timed. Stopping it requires the same level of persistence on the other side.