The hijacking of domain names belonging to Singapore-based cryptocurrency exchange Liquid and several other crypto sites has been attributed to hackers tricking GoDaddy Inc. employees into handing over ownership.
The hack of Liquid, first detected Nov. 13, involved the incorrect transfer of control of an account and domain to a malicious actor. With this access, those behind the attack changed domain name server records and took control of some of the company’s email accounts.
That account and domain were hosted by GoDaddy, according to a Nov. 20 report by Krebs on Security and Liquid wasn’t the only cryptocurrency company affected. Also successfully targeted were cryptocurrency mining service NichHash, which has confirmed that their account at GoDaddy had been taken over. Bibox.com, Celsius Network and Wirex.app also may have been targeted.
In a blog post, Nicehash said that in the early hours of Nov. 18 that its domain name was not reachable. “The domain registrar GoDaddy had technical issues and as a result of unauthorized access to the domain settings, the DNS records for the NiceHash.com domain were changed,” the company wrote.
NiceHash founder Matjaz Skorjanc told Krebs on Security that the attackers tried to use their access to its incoming emails to perform password resets on various third-party services, including Slack and GitHub. “We detected this almost immediately [and] started to mitigate [the] attack,” Skorjanc said. “Luckily, we fought them off well and they did not gain access to any important service. Nothing was stolen.”
The other companies affected have not publicly commented. Bibox.com was down as of 7 p.m. EST today, while Wirex.app was throwing up a security alert in Google Chrome that included “the website sent back unusual and incorrect credentials.” Celsius Network, a cryptocurrency lending and investment company, appears to be online and functional and the company has made no comment on the report. SiliconANGLE has reached out to the company for comment.
GoDaddy has confirmed the story, saying that “a small number” of customer domain names had been modified after a “limited” number of GoDaddy employees fell for a social engineering scam. They have since undertaken an audit, identified potentially affected accounts and assisted customers in regaining access.
This isn’t the first time GoDaddy has been in the news for security lapses. In May it was reported that 28,000 web hosting accounts had been exposed in a data breach, while in August 2018 data belonging to GoDaddy were was found exposed on a misconfigured Amazon Web Services Inc. S3 bucket.