After tricking GoDaddy employees into supplying them with keys to client accounts, cybercriminals were able to alter the DNS settings of certain cryptocurrency websites.
The event occurred earlier this month and impacted an undisclosed number of clients of the firm, including at least two websites connected to cryptocurrencies: the Liquid virtual currency exchange portal and the NiceHash crypto-mining operation.
On November 18, after GoDaddy wrongly turned over custody of their accounts, both platforms announced that threatening individuals were able to hack their internal networks.
Liquid CEO Mike Kayamori confirmed that the incident took place on November 13, and that the “ability to change DNS records and in turn, take control of a number of internal email accounts” was given to the threat perpetrator.
The malicious attacker thus damaged the resources of the trading network and also obtained access to record storage. As well as “preventing further intrusions and mitigating risk to customer accounts and assets,” the platform said it took the appropriate measures to contain the attack shortly after detecting it.
We will ensure that consumer funds are accounted for and remain safe and stable by containing the threat, reaffirming domain ownership, and carrying out a thorough review of our infrastructure. Kayamori said that MPC-based and cold storage crypto wallets are safe and have not been hacked.
NiceHash reported that the same GoDaddy problems triggered a service interruption on November 18th, and that the DNS records for the NiceHash.com domain were changed as a result of unauthorised access to the domain settings.”
After ensuring that funds were safe and customers had access to their accounts, the firm promptly froze all wallet operations and resumed its operation. Pending the outcome of an independent investigation into the incident, withdrawals were suspended.
“It looks like no emails, passwords, or any personal information has been accessed at this point in time, but we do suggest resetting your password and activating 2FA security,” the firm said last week.
In looking into the attack, investigative journalist Brian Krebs found that threatening perpetrators used social engineering to manipulate staff of GoDaddy into changing access to their accounts, and that their addresses were changed to privateemail.com for all the targeted accounts.
Cryptocurrency sites that may have been attacked by the same hacker community include Bibox.com, Celsius.network, and Wirex.app, in addition to Liquid and NiceHash.
The event seems to have been recognised by GoDaddy, claiming that only a limited number of clients were harmed, but not providing specifics about how the opponents attacked their staff.