Security Alert: 220 DeFi Protocols Exposed to Potential Squarespace DNS Hijack

2024-07-24, 07:50

[//]:content-type-MARKDOWN-DONOT-DELETE
![](https://gimg2.gateimg.com/image/article/1721807281sdfx.jpeg)
## [TL; DR]
DNS attacks can redirect DNS records to malicious websites that can drain the users’ wallets.

During the first two weeks of July some bad actors tried to compromise MetaMask, <a href="/pt/price/compound-comp" target="_blank" class="blog_inner_link">Compound</a> and Celer Networks, among others.

Users should use strong passwords for emails as well as two factor authentication for their digital accounts.

## Introduction
Crypto attackers are increasing their methods of stealing digital assets from unsuspecting investors. Thus, it is essential for people who carry out crypto transactions to be observant of unusual activities on the blockchain networks they interact with. Today we focus on how crypto attackers are using DNS hijacking to steal from people. We shall also explore ways in which investors can protect their assets from such attacks.

## Crypto Attackers Up their Methods: How DNS Attacks Threaten the Sector
A new crypto attack method called DNS hijacking is threatening the security of various blockchain networks. This sophisticated method the bad actors are using may affect many decentralized finance protocols, with fear that over 220 DeFi protocols are currently under great threat.

Through Squarespace DNS hijack nefarious actors can redirect DNS records to malicious IP addresses used for draining digital assets from unsuspecting users' wallets. Already, using this method these attackers have compromised several DeFi protocols including Compound, an <a href="/pt/price/ethereum-eth" target="_blank" class="blog_inner_link">Ethereum</a>-based DeFi protocol, and Celer Network, a multi-chain interoperability protocol. The users’ digital wallets that interact with front ends of the targeted protocols will be redirected to web pages that will drain their wallets. It is essential to note that in most cases the victims are tricked into signing malicious transactions which gives the attackers full control of their assets. The drainers kits are usually deployed through compromised domains and phishing websites, thus many crypto investors face DeFi security risks.

Some observers have pointed out that these attackers have links with  the notorious Inferno Drainer who use advanced wallet draining kits to take control of the victims’ crypto assets through deceptive transactions. As per a recent Decrypt publication, Ido Ben-Natan, the co-founder and CEO of Blockaid, is convinced that Inferno Drainer is involved in these crypto heists. In an [interview with Decrypt, Ben-Natan said](https://decrypt.co/239524/220-defi-protocols-risk-squarespace-dns-hijack "interview with Decrypt, Ben-Natan said"), “The association to Inferno Drainer is clear due to shared onchain and offchain infrastructure. This includes onchain wallet and smart contract addresses as well as offchain IP addresses and domains linked to Inferno."

However, since these cybercriminals share on-chain and off-chain infrastructure it is possible to track them. For example, digital firms such as Blockaid that work with affected communities and parties can help in identifying DNS vulnerabilities and mitigate the effects of such attacks. However, clear communication and cooperation from various involved parties is essential to limit the extent of the damage the attack may cause. Ben-natan explained: "Blockaid is able to track the addresses. Our team has also been working closely with the community to ensure there’s an open channel to report compromised sites.”
Way back in November 2023 Inferno Drainer announced its intention to disband its operation. However, by the look of things the group still poses much cybersecurity in crypto threats through DNS hijacking and other related methods. Based on the recent cryptocurrency security trends Inferno Drainer has stolen over $180 million worth of digital assets. 
## DNS Hijack Issue: How it Works
DNS attack occurs when the bad actors divert search queries to unauthorized domain name servers. Basically, the attacker uses unauthorized modifications or malware to alter the DNS record of the targeted website thereby redirecting the users to a malicious destination. In the case of Squarespace attack some experts believe that the attackers could have used DNS cache poisoning which involves injecting false data into the DNS caches. As a result, the DNS queries would return incorrect responses before redirecting users to malicious websites.

The [DeFi protocols](https://www.gate.io/learn/articles/how-defi-protocols-generate-revenue-and-why-its-important/2890 "DeFi protocols") that were attacked used various methods to prevent large scale thefts of the users’ digital assets. One of the widely used SquareSpace security responses was alerting the users of the existing danger. For example, MetaMask warned its users of the danger through social media platforms such as [X.com](https://x.com/MetaMask/status/1811436757759701391 "X.com"). 
![](https://gimg2.gateimg.com/image/article/17218082771.jpeg)
Source: [X.com](https://x.com/MetaMask/status/1811436757759701391 "X.com")

Once the targeted DeFi protocols shared the warnings in various social media platforms many members of different crypto communities helped by spreading the message, alerting many digital asset users about the existing threats.

Read also: [Six Major Indicators Every Beginner Must Know About DeFi](https://www.gate.io/learn/articles/six-major-indicators-every-beginner-must-know-about-defi/563 "Six Major Indicators Every Beginner Must Know About DeFi")
## Scope of Impact: 220 DeFi Protocols at Risk
Currently, there is no tangible information on the full extent of the recent Squarespace DNS hijack. The first DNS attacks were detected on 6 and 11 July this year when the malicious actors tried to take control of Compound and Celer Network. However, in the case of Celer Network its monitoring system thwarted the attack. Blockaid’s initial assessment of the attacks indicates that the attackers are targeting domain names which Squarespace provides. This puts more than 220 DeFi protocols at DeFi security risks. This is because all[ DeFi apps](https://www.gate.io/blog_detail/1038/everything-you-need-to-know-about-defi " DeFi apps") that use Squarespace domain face the DNS attack risks.

Regarding this, through an [X post, Blockaid said](https://x.com/blockaid_/status/1811423284409602184 "X post, Blockaid said"),” From initial assessment, it appears that the attackers are operating by hijacking DNS records of projects hosted on SquareSpace.” Attacks on various DeFi protocols, digital wallets and crypto exchanges were thwarted by their robust security systems. In most of these cases the frontends notified the users of the impending danger as the following screenshot shows. 
![](https://gimg2.gateimg.com/image/article/17218083422.jpeg)
Source: x.com

As observed, digital wallets that include Coinbase Wallet and MetaMask flagged the associated websites as malicious and unsafe. examples of some DeFi protocols at risk are Thorchain, Flare, Pendle Finance, <a href="/pt/price/aptos-apt" target="_blank" class="blog_inner_link">Aptos</a> Labs, Polymarket, Satoshi Protocol, Near, <a href="/pt/price/dydx-dydx" target="_blank" class="blog_inner_link">dYdX</a>, Nirvana, MantaDAO and Ferrum.
## The Role of DNS in Crypto Security
In simple terms, a Domain Name System (DNS) converts website names to computer-friendly addresses. For example, they translate domain names such as www.tcore.com) into numerical IP addresses such as 82.223.84.85 enabling devices to connect with different online destinations. However, a DNS plays an important role in securing online crypto platforms. Since it is a decentralized system it has no central point of failure which prevents many cyberattacks. Also, blockchain DNS makes it impossible for bad actors to temper with transactions thereby securing digital assets that exist on various decentralized networks. 
## How DeFi platforms Can Safeguard Themselves against Similar Vulnerabilities
After the DNS attacks, cybersecurity experts have suggested several methods of handling similar DNS vulnerabilities. DeFi firms can add more security layers to their protocols. For example, they can reconfigure their smart contracts to prevent updates unless they are verified onchain signatures. In this case, before an update a DNS should request a signature from the user’s wallet. This will make it more difficult for the hackers to succeed in their missions since they would need to hack both the wallet and the registrar.

Also, DeFi protocols may need to bookmark trusted URLs and verify all the associated website addresses. They can also add relevant browser extensions such as HTTPS as well as two-factor authentications (2FA) for digital accounts and wallets. In addition, DeFi protocol should have communication channels to report suspicious crypto activities. With that, any affected platform can get support from other security partners.

Another way of [protecting DeFi platforms](https://www.gate.io/learn/articles/what-is-defi/2815 "protecting DeFi platforms") is to use content filtering to block malicious websites from interacting with their smart contracts. For example, they can use robust malware [to block the phishing websites](https://www.gate.io/learn/articles/common-phishing-methods-and-security-prevention-suggestions-in-web3/3061 "to block the phishing websites").

## User Guide: How to  Protect Personal Assets
Apart from the DeFi protocol security measures implemented, the users should adopt their own crypto asset protection strategies. For example, they should install antimalware software on their electronic gadgets. They must also use two factor authentication, VPNs and strong firewalls. In addition, individuals should use strong passwords for their emails and domain registrations. 
## Conclusion 
More than 220 DeFi protocols are under threat from DNS attacks. During the first two weeks of July some malicious attackers tried to compromise several DeFi protocols and digital wallets that include Compound, Celer Network, Coinbase wallet and MetaMask. However, most of these platforms fended off the attacks. To prevent future attacks crypto firms may [introduce additional security measures](https://www.gate.io/blog_detail/4278/stay-safe-with-gate.io-essential-security-measures-every-user-should-know "introduce additional security measures") such as two factor authentications and relevant browser extensions like HTTPS. 
## FAQs about DNS Attack
### What happens if DNS is hijacked?
If DNS is hijacked it will redirect DNS records to malicious websites which may result in users’ wallet drain. To prevent DNS attacks DeFi firms may need to reconfigure their smart contracts to stop updates that normally occur without verified onchain signatures. 
### How do you mitigate DNS hijacking?
Users can use various strategies such as strong email passwords and two factor authentications to mitigate DNS hijacking. On the other hand, DeFi protocols may need to bookmark trusted URLs and verify all associated website addresses.
### Does VPN prevent DNS hijacking?
A VPN can prevent DNS hijacking. This is because the VPN is able to prevent the interception of DNS queries. However, the users should use reliable VPNs.
## What is the difference between DNS proofing and DNS hijacking?  
DNS hijacking involves changing the DNS settings while DNS proofing modifies the DNS records. Usually, the attackers use malware to facilitate DNS hijacking.

<div class="blog-details-info">
<div>Author:** Mashell C.**, Gate.io Researcher
<div class="info-tips">\*This article represents only the views of the researcher and does not constitute any investment suggestions.
<div>\*Gate.io reserves all rights to this article. Reposting of the article will be permitted provided Gate.io is referenced. In all cases, legal action will be taken due to copyright infringement.
</div>

Partilhar

İçerik

Credit Ranking

Complete Gate Post tasks to upgrade your rank