Photo by Morrowind/Shutterstock.com
The popular cryptocurrency exchange dYdX’s v3 trading platform website has been compromised in a DNS hijacking incident. However, the platform took control of the compromised domain and urged users to exercise caution, clear their browser cache, and restart their browsers before accessing the site.
The breach was initially disclosed through an incident report on dYdX’s official status page: “We just learned that dYdX v3 website (dYdX.exchange) has been compromised. Please do not visit the website or click any links until further notice.”
The platform assured users that while the website was compromised, the underlying smart contracts remained secure, and funds within the v3 system were safe.
Further details emerged from dYdX’s official Discord server, where a team member revealed that the attacker had hijacked the domain and set up a malicious copycat website. This fake site prompted users to connect their wallets and approve transactions through PERMIT2, thereby stealing their valuable tokens.
The incident is suspected to be part of a broader wave of DNS hijacking attacks targeting DeFi platforms using the Squarespace register, reported BleepingComputer. The dYdX incident report partially confirmed this suspicion, identifying a DNS issue as the root cause.
“A fix to the DNS resolution has been implemented. However, due to caching, the issue may not be fixed for every user yet,” clarified the status page.
On July 12, we reported that at least a dozen organisations with domain names registered through Squarespace experienced website hijackings between July 9 and July 12.
These DNS hijacking attacks have been redirecting visitors of compromised crypto platforms to phishing sites equipped with wallet-draining malware. The vulnerabilities stem from domains originally registered with Google Domains but force-transferred to Squarespace after Google sold its assets to Squarespace.
During the migration, MFA for management accounts was disabled, leaving them vulnerable. Researchers advised domain owners to re-enable MFA post-migration, but many have not.
After observing the attackers’ methods, security researchers suggested that threat actors could gain full domain access using a valid address linked to the domain. This is possible because Squarespace does not require email validation to create an account, allowing anyone to register with any email address without verification.
This website-hijacking incident comes at a time when DydX Trading is negotiating with multiple buyers, including Wintermute Trading and Selini Capital, to sell its v3 software, as reported by Bloomberg.
Despite regaining control of the compromised domain, dYdX advises users to exercise caution.
Recently, India-based crypto-trading platform WazirX experienced a massive hack in which threat actors siphoned off $230 million from the platform’s Liminal multi-sig wallets. To recover the stolen assets, WazirX also offered a bounty program and invited researchers from across the globe.
In the News: SmartScreen flaw exploited to drop malware in USA, Spain, Thailand