On 11th July 2024, A series of coordinated DNS hijacking attacks has targeted decentralized finance (DeFi) cryptocurrency domains registered with Squarespace. These attacks redirect visitors to phishing sites designed to drain wallets.
DNS hijacking occurs when attackers alter a domain’s DNS records to redirect traffic from the legitimate site to a malicious one, often through compromised DNS servers or accounts at DNS service providers.
Crypto Platforms Warn of DNS Hijacks
Recently, several DeFi platforms reported that their website domains were redirecting users to phishing sites with wallet-draining capabilities. All affected domains were registered with Squarespace. Compound Finance warned users that its main domain had been hijacked and was displaying a phishing page. The platform advised users not to visit the compromised site and provided a secure alternative, recommending those who interacted with Compound dApps to revoke access.
On 11 July 2024, DeFi platform Compound Finance alerted users that its primary domain had been hijacked to display a phishing page.


The platform advised users to avoid visiting its website and offered a secure alternative. Additionally, it recommended that anyone who had interacted with Compound dApps should revoke access.
Celer Network, specializing in layer-2 scaling solutions for blockchain applications, also announced an attempted DNS hijack but managed to swiftly recover its DNS records. All three platforms assured users that their protocols remained uncompromised and that funds were safe.

However, users who entered information on the phishing sites are urged to take immediate action, such as revoking smart contract approvals, changing passwords, and transferring funds to a new wallet.


Attacks Linked to Squarespace Registrar
The cause of the compromise is still unclear, but the affected domains were originally registered with Google Domains and were later transferred to Squarespace in 2023 following an asset purchase agreement with Google.

Since acquiring domains from Google Domains in June 2023, Squarespace has been migrating these domains to its service. The recently compromised domains are now registered with Squarespace.
Pendle tweeted, “For context – Squarespace purchased all domain registrations and related customer accounts from Google Domains in June 2023, which forced the migration of domains. Recently, attackers exploited a vulnerability in Squarespace, hijacking domains hosted on their platform. Security experts are still working out the exact mechanism for the hijacking attacks, but many domains (including Pendle’s) that were migrated from Google to Squarespace have been affected.”

During the transition to Squarespace, multi-factor authentication was disabled on accounts. A Squarespace support topic regarding the Google Domains migration advised domain owners to enable multi-factor authentication for added security.
Vulnerability Exploited in Squarespace Migration
While the exact method of the domain hijacking is unclear, a report by crypto security researchers Samczsun, Taylor Monahan, and Andrew Mohawk suggests it may be linked to the disabling of multi-factor authentication during the migration and the automatic creation of accounts for users associated with the domains.
Customers who subscribed to Google Workspace through Google Domains had their service migrated to Squarespace, which is also a reseller of Workspace. Researchers believe threat actors are leveraging reseller access and newly created accounts to establish new Workspace accounts or tenants associated with the domains.
Other Squarespace customers have reported receiving suspicious password reset emails, indicating a broader credential attack on Squarespace accounts.
Researchers have identified a list of cryptocurrency and DeFi-related domains managed by Squarespace that might be impacted. People are advised to remain cautious when interacting with these platforms until the issue is resolved.
