- Hackers are seizing expired domains of defunct DeFi projects to steal users’ cryptocurrencies.
- At least 100 cases of repurposed DeFi websites with malicious wallet-draining code have been documented.
- Links to these domains still appear on reputable crypto platforms, increasing victim exposure.
- Coinspect and other firms recommend that project owners renew or flag expired domains to prevent exploits.
- The frequency and sophistication of these attacks may increase as more DeFi projects become inactive.
Hackers are gaining control of expired web domains from inactive decentralised finance (DeFi) projects and using them to deploy schemes that drain cryptocurrency from users’ wallets, according to findings published by security firm Coinspect on Wednesday. The targeted domains belong to projects that have shut down, making it easier for attackers to take over the sites and lure unsuspecting users.
So far, Coinspect has identified more than 100 cases where attackers have reactivated former DeFi project domains and inserted harmful code. Links to these compromised sites remained live on trusted crypto data platforms like DefiLlama and DappRadar until they were identified and removed. According to Chainalysis, 2024 is on pace to become the worst year for crypto theft, with digital criminals expected to exceed previous records set by incidents such as the $1.4 billion Bybit exchange hack earlier in the year.
Attackers replicate the original branding and credibility of these “zombie” DeFi sites to trick users into connecting their wallets or signing malicious transactions. As Coinspect noted, “By reusing the project’s original branding and reputation, attackers can trick users into signing malicious transactions.” Unlike traditional phishing scams, attackers do not need to send unsolicited messages; users may visit these sites directly through longstanding, reputable links.
One example cited was Astar Exchange, previously holding $3.5 million in investor funds before shutting down. Its expired domain was re-registered and transformed into a fake site that prompted users to withdraw funds, which actually authorized wallet-draining transactions. Other affected projects included ADAO, Andromeada, and Ladex Exchange.
Coinspect worked with DefiLlama and other data aggregators to delist compromised domains and identify at-risk projects. So far, 475 expired domains have been reported. The firm recommends defunct projects renew their domains, clearly post shutdown notices, and alert crypto data platforms and security teams about their status.
So far, the attacks have been basic and easy to detect, but Coinspect warns that future tactics could become more advanced and harder to spot. For more details, the company’s full analysis is available in their blog post.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Swiss National Bank Extends Wholesale CBDC Pilot to Mid-2027
- Ghana to License Crypto Platforms Amid Surging Digital Demand
- DFINITY Launches Public Real-Time Access Logs for ICP Network
- MoonPay Launches Global Solana Staking With 8.49% APY Offer
- io.net Launches Training as a Service for Models and Agents
