Crypto Platforms Targeted by DNS Attacks Connected to Squarespace

Cybersecurity experts have identified a series of coordinated DNS attacks targeting DeFi crypto platforms whose domains are registered with Squarespace. Attackers have been redirecting visitors from these platforms to phishing sites designed to steal cryptocurrency.

Late last week, several crypto platforms—including Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains—warned that their domain DNS records had been altered. As a result, their websites were redirecting users to phishing sites that could steal cryptocurrency and NFTs from connected wallets. All affected domains shared a common registrar: Squarespace.

Compound Finance representatives reported that the project’s main domain had been hijacked by phishers and advised users not to visit the site, offering a safe alternative instead. They also recommended that anyone who had interacted with Compound dApps revoke access as soon as possible.

Celer Network also reported falling victim to a DNS attack. However, according to the company, their team quickly detected and stopped the attempt, restoring the DNS records promptly. “Ongoing investigation indicates that the attack vector was likely related to third parties not affiliated with us,” Celer stated on X (formerly Twitter).

Pendle and Unstoppable Domains faced similar issues, prompting both companies to urge users to immediately revoke smart contract approvals and clear their browser cache.

All affected platforms assured users that these DNS attacks did not compromise their protocols or systems, and that user funds remained safe. However, this did not apply to users who had already entered their information on phishing sites. Those users were advised to urgently revoke all smart contract approvals, change their passwords, and transfer their assets to other wallets.

How the Attacks Happened

It has now emerged that all the affected domains were originally registered through Google Domains. In the summer of 2023, Squarespace acquired Google Domains and began migrating former Google customers to its infrastructure in June 2024.

“For reference, Squarespace purchased all domain registrations and related customer accounts from Google Domains in June 2023, which led to a forced migration,” Pendle’s security team explained. “Recently, attackers exploited a vulnerability in Squarespace and took over domains hosted on their platform. Security experts are still investigating the exact mechanism, but many domains (including Pendle’s) that were migrated from Google to Squarespace were affected.”

The root of the problem appears to be that, during the migration to Squarespace, multi-factor authentication (MFA) was disabled on accounts to prevent accidental lockouts of admin accounts. Squarespace’s support team had warned former Google Domains owners to enable MFA for extra protection.

According to initial theories from security experts at Paradigm and Metamask, hackers learned about the MFA being disabled and took advantage of the situation. They may have used stolen or leaked credentials to access admin accounts and change DNS records, compromising both websites and private mail servers.

However, a new theory has emerged: attackers may have discovered a flaw in the method Squarespace used to transfer Google Domains customer data to its servers. This allowed hackers to identify email addresses associated with admin accounts and register those accounts for themselves.

Researchers found that Squarespace pre-registered a number of email addresses to be assigned as domain admins after the migration, without checking if those accounts already existed. Two categories of addresses were used: emails linked to the original Google Domains account and emails of all contributors associated with a specific domain.

“It appears that in Squarespace’s implementation, all email addresses were pre-linked to domains, regardless of whether the account already existed. The company likely wanted users to be able to use Google OAuth and immediately access all their domains,” experts explained. “However, since Squarespace does not require email verification when creating an account with password authentication (meaning you can create an account for [email protected] without owning that email), attackers simply created accounts using any possible email addresses that could have been migrated with the domain but were not yet registered. Once they found a valid email, they gained full access to the associated domains without needing to verify the email address.”

Risks and Recommendations

Experts have already compiled a list of crypto-related domains hosted on Squarespace. Users are advised not to visit these sites until their administrators confirm that the domains are secured and MFA is enabled for Squarespace accounts.

Researchers also warn that attackers may try to use compromised domains to escalate attacks and move laterally within organizations. For example, there have already been cases where hackers created new Google Workspace admin accounts and registered new devices and browsers.

Cybersecurity firm Blockaid, one of the first to detect these DNS attacks, warns that hackers appear to be expanding their phishing infrastructure to target various brands, including those already compromised.

While the current attacks are focused on crypto-related sites, the same vulnerability threatens all former Google Domains site owners now hosted on Squarespace.

As of now, Squarespace has not made any official statements regarding the situation.