In the wake of the recent DNS hijacking attack on decentralized finance (DeFi) protocols, fresh insights have emerged about the potential extent and nature of the breach.
The incident, highlighted by various sources, including blockchain security firm Blockaid, involved attackers targeting DNS records hosted on Squarespace.
Those records were redirected to IP addresses associated with known malicious activities, Ido Ben-Natan, co-founder and CEO of Blockaid, told Decrypt.
Ethereum-based DeFi protocol Compound and multi-chain interoperability protocol Celer Network were impacted Thursday, with their respective front-ends redirecting visitors to a page that drains the funds from connected wallets.
While the full extent of the hijack is not yet known, roughly 228 DeFi protocol front ends are still at risk, Ben-Natan said.
"The association to Inferno Drainer is clear as shared onchain and offchain infrastructure," Ben-Natan said. "This includes onchain wallet and smart contract addresses as well as offchain IP addresses and domains linked to Inferno."
Inferno Drainer's wallet kit allows cybercriminals to steal funds from unsuspecting users. It operates by prompting users to sign malicious transactions that give the attacker control over their digital assets.
Once the transaction is signed, the drainer kit swiftly transfers the funds from the victim's wallet to the attacker's address. The kit is often deployed through phishing websites or compromised domains.
The Inferno Drainer group has been active for some time, targeting various DeFi protocols and exploiting different vulnerabilities. Their use of shared infrastructure makes it easier for security firms to track and identify related attacks, something Ben-Natan was quick to point out.
"Blockaid is able to track the addresses," he said. "Our team has also been working closely with the community to ensure there’s an open channel to report compromised sites."
By creating verified onchain records for domains, an additional layer of protection can be offered for browsers and other systems to check, helping to offset the risk of DNS attacks.
So says Matthew Gould, founder of Web3 domain provider Unstoppable Domains, in a Thursday post on X.
DNS records can be configured not to update unless a verified onchain signature is provided, he said.
At present, to change DNS records for Web3 domains, users must provide a signature for verification before any updates can be made.
Even though this doesn't use an onchain mirror host, it still requires user identity verification for updates, Gould said.
A new feature could be added where DNS updates need a signature from the user's wallet. This would make it much harder for hackers because they would need to hack both the registrar and the user separately, the founder said.