At least four major cryptocurrency platforms that host their domains on Squarespace have fallen victim to DNS hijacks over the past week. The Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains reported losing control of their official websites last week.
DNS hijacking involves an attacker modifying a target's Domain Name System (DNS) records to redirect traffic from a legitimate website to one under their control, often leading to phishing pages. These attacks are typically executed by compromising a DNS server or the target's account at a DNS service provider and making unauthorized changes to the DNS records.
The hijackers managed to redirect the domains to malicious servers equipped with wallet-draining phishing kits. According to a report published by a team of security researchers, the affected domains were previously hosted on Google's now-defunct domain business. Squarespace acquired Google Domains in June 2023 and transitioned all Google customers to its infrastructure in June this year.
The research team noted that domains migrated from Google Domains to Squarespace had their multi-factor authentication (MFA) disabled as a technical measure to prevent admins from being locked out of their accounts during the migration.
It's unclear if Squarespace notified domain admins of the change, but it is evident that threat actors discovered that MFA was disabled on some domains. The leading theory is that hackers exploited leaked or stolen credentials to access admin accounts and alter DNS records, effectively hijacking public websites and private email servers.