Scammers Buy Abandoned DeFi Domains to Deploy Malicious Drainers

Cryptocurrency users were warned Monday about a new scam targeting abandoned decentralized finance (DeFi) projects, where attackers purchase expired domains and replace legitimate interfaces with malicious transaction requests. The alert came from 0xngmi, the pseudonymous founder of analytics platform DeFiLlama, who confirmed they are removing expired domains from their platform and browser extension to protect users.

“I’ve noticed that scammers have started buying old abandoned defi domains to replace the frontend with drainers,” 0xngmi posted on X (formerly Twitter). “So if you’re going to some dead defi project to withdraw some money you put there and forgot about, be careful about that.”

This scamming method differs from more common approaches as it requires no active participation from attackers after setup. Instead, it relies on former users returning to familiar, previously trusted websites to withdraw funds they had deposited when the project was operational. With no remaining team to alert users about the security breach, these traps are particularly dangerous.

A community member highlighted the risk by noting that the official domain of the defunct Maker sub-DAO Sakura is currently available for just one cent, illustrating how accessible this attack vector is to potential scammers.

Understanding Front-End Attacks in DeFi

Unlike centralized exchanges, DeFi protocols operate directly on blockchains such as Ethereum or Solana. Most users interact with these protocols through project websites (front-ends) that create transactions to be signed via crypto wallets. While users can technically craft transactions using other tools like Etherscan, most rely on the official interfaces.

These front-ends represent a significant vulnerability. Common attack methods include compromising official sites through social engineering of DNS providers, creating clone sites with modified transaction requests, or Hosting similar-looking URLs that are promoted through spoofed hyperlinks on social media platforms and search engines.

Not all front-end losses stem from deliberate scams. Some occur due to code vulnerabilities, as demonstrated by Friday’s $2.6 million incident on Morpho, a DeFi lending platform, which was fortunately intercepted by a well-known MEV bot.

The Broader Landscape of DeFi Security Threats

Front-end attacks represent just one category of risks facing DeFi users. Other significant threats include smart contract exploits and private key compromises, which often result in larger collective losses when protocol assets are drained simultaneously.

Recent examples illustrate this broader threat landscape. On Monday, ZKsync announced that $5 million in ZK tokens from their airdrop had been stolen after an apparent 1-of-1 multisig compromise. The previous day, decentralized perpetuals exchange KiloEx lost $7.5 million due to a vulnerability in its price oracle system.

Additional risks come from within project teams themselves, who often control large quantities of their tokens. Teams can withdraw liquidity unexpectedly or sell tokens over-the-counter, causing significant price volatility that can liquidate leveraged positions on overvalued tokens.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Futureverse Acquires Candy Digital, Gaining Access to MLB, Netflix IP
• Crypto Market Dips: CoinDesk 20 Index Down 1% as 19 Assets Fall
• VanEck exec proposes Bitcoin-backed ‘BitBonds’ to refinance US debt
• Securitize Acquires MG Stover, Becomes Largest Digital Asset Administrator
• Musk Unfollows Crypto Influencer Fong After Baby Offer Rejection