A wave of coordinated DNS hijacking attacks targets decentralized finance (DeFi) cryptocurrency domains using the Squarespace registrar, redirecting visitors to phishing sites hosting wallet drainers.

DNS hijacking is when an attacker modifies a target’s Domain Name System records to redirect traffic from a legitimate website to one under their control, such as phishing pages. These attacks are typically done by compromising a DNS server or the target’s account at a DNS service provider and making changes to the DNS records.

DNS hijacks target crypto platforms

Yesterday, numerous DeFi platforms warned that their website domains were redirecting users to phishing sites that utilized wallet drainers to steal cryptocurrency and NFTs from connected wallets. All of these domains shared a common registrar, Squarespace.

DeFi platform Compound Finance warned yesterday that its main domain had been taken over to display a phishing page.

The platform warned users not to visit its website and provided a secure alternative instead. It also advised anyone who interacted with Compound dApps to revoke access.

Celer Network, a platform focused on layer-2 scaling solutions for blockchain applications, also announced it was targeted by DNS hijacking. However, it says it intercepted the attempt and swiftly recovered its DNS records.

“Our ongoing investigation indicates that the attack vector likely involved third parties beyond our control,” stated Celer on X.

Finally, Pendle, a DeFi protocol for trading tokenized future yield, experienced similar issues. It advised users to revoke approvals for its smart contracts immediately and clear their browser cache to ensure they’re not being redirected elsewhere.

All three platforms assured users that these DNS hijacks had not compromised their protocols and that people’s funds were safe.

Still, those who entered details on the phishing sites need to take immediate action to mitigate the risks, including revoking smart contract approvals, changing passwords, and transferring funds to a new wallet.

Today, Unstoppable Domains also reported that their domains were hijacked and that they were having trouble contacting SquareSpace to resolve the issue.

Attacks linked to SquareSpace registrar

Although the exact cause of the compromise hasn’t been determined yet, the compromised domains were all originally registered at Google Domains, which were later force-transferred to Squarespace in 2023 as part of an asset purchase agreement with Google.

Since then, Squarespace has begun migrating domains to its service, and the recently compromised domains are now registered at the company.

“For context – Squarespace purchased all domain registrations and related customer accounts from Google Domains in June 2023, which forced the migration of domains,” tweeted Pendle.

“Recently, attackers exploited a vulnerability in Squarespace, hijacking domains hosted on their platform. Security experts are still working out the exact mechanism for the hijacking attacks, but many domains (including Pendle’s) that were migrated from Google to Squarespace have been affected.”

However, as part of the transition to Squarespace, multi-factor authentication was turned off on accounts. A Squarespace support topic about the Google Domains migration has warned domain owners to enable multi-factor authentication to secure the domains further.

It is unclear how the threat actors are hijacking domains, but a report by crypto security researchers Samczsun, Taylor Monahan, and Andrew Mohawk indicates it could be related to the disabling of multi-factor authentication during the migration process and the automatic creation of accounts for users associated with the domains.

Customers who subscribed to Google Workspace through Google Domains would have had their service migrated to Squarespace, which is also a reseller of Workspace. The researchers believe that the threat actors are utilizing the reseller access and newly created accounts to create new Workspace accounts or tenants associated with the domains.

Other Squarespace customers have also reported receiving suspicious password reset emails, which could indicate that this is a wider credential attack on SquareSpace accounts.

Researchers have compiled a list of domains of cryptocurrency and DeFi-related projects managed by Squarespace that might have been impacted. People are recommended to be vigilant when interacting with those platforms until the situation clears up.

BleepingComputer has contacted Squarespace for a comment on the situation, but we are still waiting for a response.