They later were able to deactivate the website and regain control of the domain. "Remember scammers are always chasing you," they wrote on Twitter.
Ethena website compromised
The website for the Ethena protocol was compromised by attackers who gained control of the project's domain registration. The protocol issued warnings to their users to urge them not to interact with the website, which could compromise their crypto holdings.
dYdX v3 exchange website compromised amid sale announcement
Crypto exchange dYdX has announced that the website for their v3 exchange was compromised, and is urging people not to use it. This announcement came almost simultaneously with a report from Bloomberg that the company behind the exchange was looking to sell the software behind the v3 exchange, after they’d upgraded to what they call v4.
The affected domain was hosted on Squarespace, which could connect this compromise to similar events earlier in the month affecting domains registered there.
Popular defi protocol websites replaced with wallet drainers amid mass Squarespace domain hijacking
Websites providing the frontends for some popular defi services, including Compound Finance, were compromised and replaced with wallet drainers: websites resembling the usual frontend, but which drain unsuspecting users' wallets when used.
Somewhat ironically, the "Unstoppable Domains" web3 domain service was also impacted, and their site was offline for a while before they regained control.
The hijacking appears to be thanks to an attack on Squarespace's domain registry. Crypto founder Bobby Ong has suggested that the attack is affecting domains acquired through Google Domains, which sold its business to Squarespace several months ago. "Tthe forced migration of domains to Squarespace removed 2FA causing all these domains to be vulnerable and several have been hijacked," he wrote. "Best thing to do is to not interact with crypto and rest for the next couple of days until everything is resolved."
Web2 is going just great!
Balancer frontend compromised
Balancer issued an urgent warning to stop using its web interface, as it was evidently compromised by malicious actors who redirected the funds to themselves. Within 30 minutes of the tweeted warning, $240,000 had already been stolen.
This is the second theft from Balancer in a month, after it warned of a critical vulnerability on August 22, and that vulnerability was exploited for around $2 million several days later.
Terra website hijacked by phisher
Despite the catastrophic Terra/Luna collapse in May 2022, the Terra blockchain is still up and running. On August 19, the official Twitter account for the Terra project tweeted that the project's website had been hijacked, and was being used by a phisher to try to obtain access to users' wallets. When the website is opened, it prompts visitors to connect their wallets, which then allows the phishers to drain funds.
Despite a tweet on August 19 that "sites are coming back online", and a developer stating that they were "mostly back in control", the website apparently remained compromised for several days. The project reiterated via tweet on August 20 that the website was still not safe to use.
It's unclear how much was stolen as a result of the hijacking.
Celer Network's cBridge suffers BGP hijacking attack, users lose combined $240,000
The Celer Network's cBridge project was targeted with a BGP hijacking attack. Users who tried to access the bridge's frontend were instead shown a site that prompted them to authorize transactions that drained their wallets. The attacker was able to steal around 128 ETH (~$240,000) before the exploit was discovered and Celer took the frontend offline. The stolen funds were quickly transfered to the Tornado Cash cryptocurrency tumbler.
- Tweet by CelerNetwork
- Etherscan for attacker wallet
- "Truth Behind the Celer Network cBridge cross-chain bridge incident: BGP hijacking", SlowMist
Curve Finance frontend compromised, $620,000 stolen but later recovered by exchanges
Curve Finance's frontend at curve.fi was compromised, prompting users to give token approval to a malicious smart contract. Stolen funds were then transferred out to the FixedFloat cryptocurrency exchange and the Tornado Cash tumbler. It appears that at least 362 ETH (~$620,000) have been stolen.
Curve acknowledged the apparent exploit, tweeting at the iwantmyname domain platform to say they believed the issue was on their end. Around an hour after the issue was widely noticed, Curve announced the "issue has been found and reverted", and to use the alternate Curve Finance domain until DNS changes propagated for the affected domain. They also urged users to revoke any recent contract approvals they'd made on the Curve platform.
FixedFloat tweeted that they had been able to freeze 112 of the stolen ETH (~$192,000) that had been transferred to their platform. Binance later announced that they'd recovered the remaining stolen funds, with founder CZ tweeting, "The hacker kept on sending the funds to Binance in different ways, thinking we can't catch it. 😂"
Ankr gateways for Polygon and Fantom compromised, seed phrases possibly stolen
The Ankr public RPC gateways (basically an API for dApps and other services to communicate with the blockchain) for Polygon and Fantom were impacted when attackers compromised the projects' DNS management. Those who accessed Polygon or Fantom using Ankr's RPC gateways saw pop-up windows stating that "funds are at risk", and prompting them to enter their seed phrases at a website linked from the popup to "restore their wallet".
Polygon's chief information security officer Mudit Gupta told CoinDesk that day that "no funds [were] lost as far as we know but we are still investigating", and that dApps using the Ankr RPC endpoint were non-functional. Ankr later announced that the RPC systems had been fully restored, and that the breach had come from a "third-party vendor" that enabled attackers to change Ankr's domain hosts.
SpiritSwap is the latest victim of a domain hijacking attack
In what is beginning to become a pattern, SpiritSwap was the latest project where attackers gained control of their domain and were able to modify the frontend to divert funds to a wallet under their own control. SpiritSwap tweeted that the "the hacker has managed to exploit Godaddy" (unlikely — it was more likely a case of stolen credentials) and swap out the recipient address.
The hacker only managed to exfiltrate around $18,000 before being discovered, and SpiritSwap shut down their swapping through their router to prevent the attack from continuing.
MM.Finance suffered a similar attack earlier in the month, losing $2 million after an attacker gained control of the domain and swapped in their own address to siphon funds.
Attacker compromises MM.Finance to redirect $2 million in crypto assets to their own wallet
MM.Finance, a group of crypto projects based on the Cronos blockchain, suffered an attack that allowed a hacker to redirect more than $2 million worth of crypto assets that were being exchanged through the project's website to their own wallet. Although MM.Finance described the attack as "DNS hijacking", it seems unlikely this is an accurate description of the attack, which seems more likely to involve phished credentials to their domain service providers.
"Please do not perform any transactions or your funds will be sent to the exploiter wallet," MM.Finance tweeted shortly before taking the website offline. Three days earlier, MM.Finance had published a blog post to address "FUD" in their ecosystem stemming from a popular Reddit post that described MMF as an "inverse pyramid of derivatives" that the author believed would "topple", and outlined the project's "rosy future".
The project promised to try to compensate users, with its developers foregoing 45 days of trading fees to reimburse users. They also appealed to the OKC crypto exchange to intervene to help recover funds from someone they believed to be the attacker, and threatened the attacker with the FBI. "With all these information, we have more than what we need to bring this information to the FBI," they wrote on Twitter. "So here's the deal, return 90% of the funds you stole and we will let this go, no questions asked. You have 48 hours to return these funds."
- Tweet by MM.Finance
- "Mm Finance — The road ahead", MM.Finance blog
- "Personal Take on Events and Existing Tokenomics", post from r/MMFinance
- "DNS Hi-Jacking Post Mortem & Compensation", MM.Finance blog