Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Ask HN: My project made news as a "Scam", what can I do?(kitv.com)
1 points by arionhardison 5 hours ago | 7 comments
oopsiremembered 5 hours ago | parent | next [-]

Question Number 1 through Infinity: Is this impacting your business? Actually? Today?

I'd suggest keeping an eye on things but not getting too bent out of shape. The video didn't call your company a scam; it said that scammers have been using your domain. And the news has gotten pretty limited reach, mostly in a small news market -- and a bit in the niche market of cybersecurity. Kicking up too much of a stink, especially ineffectually, might create a Streisand Effect.

If it is impacting your business, then the answer you perhaps don't want to hear: This is crisis comms. This is a job for a PR/crisis comms agency.

If you can't afford one, you're going to have to fake your way through some heavy lifting. Press releases, pitching reporters, etc.

I'd focus, in part, on making people comfortable with the idea of your project and your vision as something normal and safe. I wouldn't draw DOGE comparisons. "DOGE" is a four-letter word to a lot of people.

Separately, you may have legal options -- vis-a-vis defamation or other matters: KHON seems to be saying that links ending with codify.inc "always" indicates a scam. If that's not true, that's something probably correctable. (But that doesn't mean you need to necessarily drop a fat retainer on a lawyer's desk if you're not looking to collect $$$. An email to a relevant editor could sort that out.)

arionhardison 4 hours ago | parent [-]

1. Yes, I have had 3 potential clients mention this to me and initially I was a bit caught off guard. I am also concerned that it could be more and some decided to just not move forward because they believed outright that it was a "Scam".

2. I agree, I think I was a bit too worried because I do not know how to navigate this space "Gov Tech" very well.

Thankyou very much for your response; developing a product in a silo can cause tunnel vision which leads to blowing things out of proportion, your comment has really helped me to put things into perspective.

My biggest concern by far is that they seem to have put codify.inc on a registry so ISP's are blocking or showing the red "this is a scam - go back to safety" page. I really liked and invested a lot into that "branding".

oopsiremembered 3 hours ago | parent [-]

It's worth getting ahead of because you don't want it to escalate vis-a-vis other gov agencies. Outreach to editors @ various outlets is going to be important. If you want to go the extra mile, maybe it makes sense to try to talk to and work with HI SOC? (But I'd want to know more about your situation.)

This is something that's good to catch early so you know that it's an ongoing thing you'll have to deal with. Investing in your branding means it's an ongoing investment (esp. in B2G, which places a premium on trust).

Also, if you're losing business because of this, it -may- actually make sense to talk to a lawyer at some point. You can't blame HI SOC for flagging (at least, that's what I suspect), but the news reports seem to vary in terms of how responsible their reporting is.

But that's maybe an issue for another day.

arionhardison 5 hours ago | parent | prev | next [-]

TL;DR: Hawaii's SOC mislabeled my civic-tech staging subdomains as a phishing scam, then pushed it as a press release — multiple outlets ran it. I'm about to launch the city-tier version (Miami, Boston, NYC, LA, Vegas) and want HN's advice on correcting the record before then.

I'm Arion. I'm building Project20x — an AI-native governance platform (policy authoring → codification → delivery as digital public goods). It's the substrate that turns policy into running services. I'm building it across all 50 states and 40+ countries concurrently, because government actually runs on interagency dependencies, not silos — VA hands off to HUD, HHS coordinates with every state Medicaid office, etc.

The subdomain pattern at the time was {agency}.{state}.{country}.codify.inc — so the Hawaii subprojects lived at dlir.hi.usa.codify.inc, health.hi.usa.codify.inc, etc. Real staging environments. Not impersonations. No credential capture, no solicitation of money, no fake state seal.

In late 2025 the Hawaii SOC published an alert flagging those subdomains as phishing impersonating state agencies — and pushed it out as a press release. KITV ran the segment in the URL above. Several other Hawaii outlets ran their own write-ups off the same release. So "scam" is now indexed across multiple sites, not one. The same effort that went into a coordinated press push could have gone into one email to a contact page — but I hadn't published one, and they didn't ask.

Here's what I think is fair, and what I think isn't:

Fair: A citizen unfamiliar with Codify could be thrown by a .inc URL that contains an agency abbreviation as a subdomain label (dlir.hi.usa.codify.inc) — even though the apex is codify.inc not .gov, and every page header read "Codify Inc official portal for [agency name]." The on-page identification was there; the URL itself was the surprise. That's a comms-and-onboarding failure on my part, and the fix is to stop putting agency abbreviations into deep subdomain paths. The new pattern is per-city apex (codify.la, codify.nyc, codify.boston, codify.miami, codify.vegas) — clearly a Codify property at first glance, no nested abbreviations to misread. I've also published a security contact (a@project20x.com) and a public registry listing live vs. staging vs. claimable subprojects. The SOC didn't reach out before the alert because I hadn't published a contact. That's fixed.

Not fair: "Scam" is a factual claim and it's wrong. Every page header on the flagged subdomains read "Official Codify Inc portal" or "Official Project20x portal for [agency name]" — including the screenshots used in the "scam" example. The site never claimed to be the agency, never collected information on the agency's behalf, and never solicited money. This is a civic-tech project in the same spirit as DOGE / USDS / 18F — same DOGE-shaped goal, achieved by compilation rather than chainsaw. Building in public on the open internet has a cost I underestimated, but mislabeling civic-tech as fraud has a cost too.

Why I'm asking now: I'm launching the city-tier version — "DOGE for cities" — for Miami, Boston, NYC, LA, and Las Vegas, on per-city apex domains (codify.miami, codify.la, codify.nyc, codify.boston, codify.vegas). No more nested codify.inc subdomains. Playbook this time: clear "Codify Inc portal" header on every page, published security contact, .gov counterpart links, and CIO/CISO outreach before launch. Rather get it right than clean up again.

So — HN, what would you actually do?

Project: https://project20x.com/about Contact: a@project20x.com

benoau 4 hours ago | parent [-]

Why are you calling your portals "Official"?

Wouldn't it be more traditional to disclaim you are unofficial and unaffiliated with these agencies?

arionhardison 4 hours ago | parent [-]

I was doing this because some portals that have been setup are setup by the end users; its a platform. But these were the ones that "I" the developer of Project20x/Codify had setup internally.

This is a really good point though, I think I should remove that.

Hackbraten 4 hours ago | parent | prev [-]

[dead]