Two cryptocurrency projects simultaneously hit by DNS attacks

On March 15, 2021, Cream Finance’s DeFi project and PancakeSwap decentralized exchange were simultaneously hit by DNS attacks. As a result, visitors ended up on fake sites, where scammers tried to find out their seed phrases and private keys in order to gain access to wallets and steal funds.

After discovering the attacks, both companies reported the problems on Twitter and urged users to temporarily refrain from visiting their sites, emphasizing that the sites themselves were not compromised.

Also, the administration of Cream Finance and PancakeSwap asked users not to enter seed phrases and private keys on cybercriminals’ phishing sites in order to avoid problems.

“Our DNS has been compromised by a third party; some users are seeing requests for seed phrase on http://app.cream.finance. DO NOT enter your seed phrase. We will never ask you to submit any private key or seed phrases. This is unfortunately also happening at @PancakeSwap – be careful out there and do not share your private keys nor seed phrase on any websites or chats”, – Cream Finance on Twitter representatives write on Twitter.

According to information security specialists, the same attacker is clearly behind these attacks, since the DNS records for both sites were changed at an interval of one minute.

How exactly the attackers managed to spoof DNS records for both sites is not yet clear, but as noted by MalwareHunterTeam, both companies managed their DNS records through the hosting company GoDaddy.

“Both CreamdotFinance and PancakeSwap have their domains registered by GoDaddy. So, if someone somehow not phished both companies’ people at the same time, it’s again time to say thanks to GoDaddy”, — MalwareHunterTeam writes.

While the attackers could theoretically compromise the hosting accounts of both companies, it is also possible that a GoDaddy employee was attacked. The fact is that this will not be the first incident of this kind: in March and November of last year, GoDaddy employees have already become victims of phishers.

Then the attackers infiltrated the system and changed the DNS for a number of resources related to cryptocurrency and hosting, including Escrow.com, Liquid.com, NiceHash.com, Bibox.com, Celsius.network, and Wirex.app.

Currently, representatives of Cream Finance and PancakeSwap report that they have almost regained control of the domains, and that it is safe for most users to visit the sites.

We also talked about how Microsoft gained control over six domains of “Coronavirus” scammers.