Over the last week, various cryptocurrency trading platforms suffered cyberattacks, harming their businesses. As it appears, the main reason behind the massive breaches is GoDaddy, the world's largest domain registrar. By targeting GoDaddy employees through phishing scams, hackers were able to gain control of the domain names.
While GoDaddy didn't reveal how the employees were compromised by the phishing attacks, but the company said that a "limited" number of employees were targeted by sophisticated social engineering scams. The attackers' first target was liquid.com, a cryptocurrency trading platform whose one of the core domain names was transferred to the hackers on November 13.
Doing so, the hacker could change DNS records and also take control over "a number of internal email accounts" and compromise the network infrastructure. The hackers were also able to gain control of the document storage.
"We believe the malicious actor was able to obtain personal information from our user database. This may include data such as your email, name, address and encrypted password. We are continuing to investigate whether the malicious actor also obtained access to personal documents provided for KYC such as ID, selfie and proof of address, and will provide an update once the investigation has concluded," Liquid CEO Mike Kayamori wrote in a blog post.
Attack on NiceHash
However, Liquid was not alone. By compromising GoDaddy, the hackers were able to gain control of a cryptocurrency mining platform NiceHash. On November 18, the settings of some of the domain names that were registered with GoDaddy were changed without any authorization whole web traffic was also redirected. NiceHash promptly took action, freezing all customers' funds for 24 hours.
NiceHash founder Matjaz Skorjanc told KrebsOnSecurity that the changes were made from an internet address associated with GoDaddy. He further added that hackers tried to use the emails and reset the passwords on various third-party services such as Github and Slack. With widespread system outages at GoDaddy, he could not contact the company either.
"We detected this almost immediately [and] started to mitigate the attack. Luckily, we fought them off well and they did not gain access to any important service. Nothing was stolen," Skorjanc told KrebsOnSecurity. However, the company wrote in a blog post that personal information such as email address and password was not accessed but advised users to reset passwords.
Many Other Targeted
Apart from NiceHash and Liquid, other cryptocurrency platforms were also targeted. During the investigation, Skorjanc observed that NiceHash's email service was redirected to privateemail.com. It was revealed that the same group also targeted Bibox.com, Celsius.network, and Wirex.app.
However, this is not the first time GoDaddy's security has come under the scanner. In March 2020, escrow.com, a transaction brokering website was also targeted by hackers who were able to gain access to the DNS through a similar phishing technique on GoDaddy employees. Furthermore, GoDaddy revealed in May this year that accounts of 28,000 of its customers were also compromised. The security incident took place in October 2019 and the company noticed it only in April 2020.
GoDaddy spokesperson Dan Race said that the affected accounts were immediately locked down and changes were reverted. "As threat actors become increasingly sophisticated and aggressive in their attacks, we are constantly educating employees about new tactics that might be used against them and adopting new security measures to prevent future attacks," he said.