TL;DR: Hawaii's SOC mislabeled my civic-tech staging subdomains as a phishing scam, then pushed it as a press release — multiple outlets ran it. I'm about to launch the city-tier version (Miami, Boston, NYC, LA, Vegas) and want HN's advice on correcting the record before then.

I'm Arion. I'm building Project20x — an AI-native governance platform (policy authoring → codification → delivery as digital public goods). It's the substrate that turns policy into running services. I'm building it across all 50 states and 40+ countries concurrently, because government actually runs on interagency dependencies, not silos — VA hands off to HUD, HHS coordinates with every state Medicaid office, etc.

The subdomain pattern at the time was {agency}.{state}.{country}.codify.inc — so the Hawaii subprojects lived at dlir.hi.usa.codify.inc, health.hi.usa.codify.inc, etc. Real staging environments. Not impersonations. No credential capture, no solicitation of money, no fake state seal.

In late 2025 the Hawaii SOC published an alert flagging those subdomains as phishing impersonating state agencies — and pushed it out as a press release. KITV ran the segment in the URL above. Several other Hawaii outlets ran their own write-ups off the same release. So "scam" is now indexed across multiple sites, not one. The same effort that went into a coordinated press push could have gone into one email to a contact page — but I hadn't published one, and they didn't ask.

Here's what I think is fair, and what I think isn't:

Fair: A citizen unfamiliar with Codify could be thrown by a .inc URL that contains an agency abbreviation as a subdomain label (dlir.hi.usa.codify.inc) — even though the apex is codify.inc not .gov, and every page header read "Codify Inc official portal for [agency name]." The on-page identification was there; the URL itself was the surprise. That's a comms-and-onboarding failure on my part, and the fix is to stop putting agency abbreviations into deep subdomain paths. The new pattern is per-city apex (codify.la, codify.nyc, codify.boston, codify.miami, codify.vegas) — clearly a Codify property at first glance, no nested abbreviations to misread. I've also published a security contact (a@project20x.com) and a public registry listing live vs. staging vs. claimable subprojects. The SOC didn't reach out before the alert because I hadn't published a contact. That's fixed.

Not fair: "Scam" is a factual claim and it's wrong. Every page header on the flagged subdomains read "Official Codify Inc portal" or "Official Project20x portal for [agency name]" — including the screenshots used in the "scam" example. The site never claimed to be the agency, never collected information on the agency's behalf, and never solicited money. This is a civic-tech project in the same spirit as DOGE / USDS / 18F — same DOGE-shaped goal, achieved by compilation rather than chainsaw. Building in public on the open internet has a cost I underestimated, but mislabeling civic-tech as fraud has a cost too.

Why I'm asking now: I'm launching the city-tier version — "DOGE for cities" — for Miami, Boston, NYC, LA, and Las Vegas, on per-city apex domains (codify.miami, codify.la, codify.nyc, codify.boston, codify.vegas). No more nested codify.inc subdomains. Playbook this time: clear "Codify Inc portal" header on every page, published security contact, .gov counterpart links, and CIO/CISO outreach before launch. Rather get it right than clean up again.

So — HN, what would you actually do?

Project: https://project20x.com/about Contact: a@project20x.com

Question Number 1 through Infinity: Is this impacting your business? Actually? Today?

I'd suggest keeping an eye on things but not getting too bent out of shape. The video didn't call your company a scam; it said that scammers have been using your domain. And the news has gotten pretty limited reach, mostly in a small news market -- and a bit in the niche market of cybersecurity. Kicking up too much of a stink, especially ineffectually, might create a Streisand Effect.

If it is impacting your business, then the answer you perhaps don't want to hear: This is crisis comms. This is a job for a PR/crisis comms agency.

If you can't afford one, you're going to have to fake your way through some heavy lifting. Press releases, pitching reporters, etc.

I'd focus, in part, on making people comfortable with the idea of your project and your vision as something normal and safe. I wouldn't draw DOGE comparisons. "DOGE" is a four-letter word to a lot of people.

Separately, you may have legal options -- vis-a-vis defamation or other matters: KHON seems to be saying that links ending with codify.inc "always" indicates a scam. If that's not true, that's something probably correctable. (But that doesn't mean you need to necessarily drop a fat retainer on a lawyer's desk if you're not looking to collect $$$. An email to a relevant editor could sort that out.)