Major Crypto Projects at Risk Amid Squarespace Domain Breach

Malicious actors target Squarespace-provided domain names in connection with numerous cryptocurrency initiatives

Security professionals advise that projects improve their protection by enabling two-factor authentication (FFA) on Squarespace.

Oxngmi, the pseudonymous developer of DeFiLlama, reported on July 11 that over 100 crypto projects, including Polymarket, Hyperliquid, dYdX, and THORChain, are at risk of being compromised.

Blockaid, a blockchain security firm, affirmed that an attacker had taken control of the DNS registry for Compound Finance and the interoperability protocol Celer Network. Subsequently, the attacker redirected visitors to a page that would drain funds from their wallets.

The security company stated:

“From initial assessment, it appears that the attackers are operating by hijacking DNS records of projects hosted on SquareSpace…The attackers are using a drainer kit associated with the most recent iteration of the Inferno drainer group.”

Concurrently, new projects such as Unstoppable Domains and DeFi project Pendle have reported domain name breaches, which underscores the ongoing security threats. As of press time, Pendle declared that its domain was secure.

The CEO of Unstoppable Domains, a Web3 domain provider, Matthew Gould, cautioned users against clicking on any links. He also stated that the assailants were attempting to establish a phony website and disseminate phishing emails.

He stated:

“If you were on Google domains and got migrated to Squarespace you are vulnerable and should let your engineeing team know to move immediately.”

It is uncertain whether any of these breaches caused financial losses for users of these platforms.

As of publication, Squarespace has not responded to CryptoSlate’s request for comment.

What is the reason for the attack?
Bobby Ong, the proprietor of CoinGecko, disclosed that Squarespace’s domain registrar was responsible for a security breach. He clarified that the termination of two-factor authentication (2FA) resulted from the forced migration of domains following the sale of Google’s domain business to Squarespace.

Ong stated:

“Google sold their domain business to Squarespace a few months ago and the forced migration of domains to Squarespace removed 2FA causing all these domains to be vulnerable and several have been hijacked.”

The precise mechanism behind these hijackings is still being determined by security experts, as noted by DeFi project Pendle, which also emphasized the significant scale of the attack. It was further stated that the migration from Google to Squarespace impacted numerous domains.

Pendle stated:

“ICANN’s domain transfer policies prevent us from transferring domains away from Squarespace for another ~20 days.”

In the interim, a security advisory from SEAL 911, a group of white hat hackers that includes ZachXBT, Paradigm’s Samczsun, Consensys’ Taylor Mohanan (Tayvano), and Andrew Mohawk, indicated that Squarespace may have been compromised through a social engineering attack.

Solutions?
Security specialists recommend enabling two-factor authentication (2FA) on Squarespace to improve project security.

Additionally, they recommend the removal of reseller access and superfluous contributor accounts. Furthermore, they recommend that all modifications to DNS records be undone and that superfluous administrators be removed from accounts.

Experts recommend that affected projects consider transitioning to alternative providers, including Amazon Web Services, Cloudflare, MarkMonitor, and CSC DBS.