Two Cryptocurrency Projects Suffer Simultaneous DNS Attacks

On March 15, 2021, the DeFi project Cream Finance and the decentralized exchange PancakeSwap were both targeted by DNS spoofing attacks. As a result, visitors were redirected to fake websites where scammers attempted to steal their seed phrases and private keys in order to gain access to wallets and steal funds.

Upon discovering the attacks, both companies reported the issues on Twitter and urged users to temporarily avoid visiting their websites, emphasizing that the sites themselves had not been compromised. The teams at Cream Finance and PancakeSwap also asked users not to enter their seed phrases or private keys on phishing sites to prevent any loss of funds.

Attack Details and Possible Causes

According to cybersecurity experts, it is likely that the same attacker was behind both incidents, as the DNS records for both sites were changed within a one-minute interval. The exact method used to alter the DNS records remains unclear, but as noted by MalwareHunterTeam, both companies managed their DNS records through the hosting provider GoDaddy.

While it is possible that the attackers compromised the hosting accounts of both companies, there is also a chance that a GoDaddy employee was targeted. This would not be the first such incident: in March and November of the previous year, GoDaddy employees fell victim to phishing attacks. At that time, attackers gained access to the system and changed DNS records for several cryptocurrency and hosting-related resources, including Escrow.com, Liquid.com, NiceHash.com, Bibox.com, Celsius.network, and Wirex.app.

Current Status

Currently, representatives from Cream Finance and PancakeSwap report that they have almost fully regained control over their domains, and for most users, visiting the sites is now safe.