In the world of cryptocurrency, security often revolves around smart contracts—their audits, functionality, and how to protect against a myriad of exploits. While these Web3 security concerns remain crucial, there's a growing threat vector you’re likely not as vigilant about: the security of Web2 infrastructure, particularly Domain Name Systems (DNS). Fair warning: a DNS vulnerability can be just as catastrophic as a smart contract exploit—and yet it often receives far less scrutiny.

Right now, DNS hijacking attacks are unfortunately making the rounds and proving this point. Recent studies reveal that [33% of organizations fell victim to DNS hijacking attempts in 2023](https://efficientip.com/resources/cyber-threat-intelligence-idc-2023-global-dns-threat-report/), with approximately [20% of DNS records being misconfigured](https://efficientip.com/resources/cyber-threat-intelligence-idc-2023-global-dns-threat-report/) and, therefore, vulnerable. In an industry where a single vulnerability can unleash massive financial losses, these statistics definitely aren’t trending in the right direction.

Let’s break down how DNS hijacking works, explore the attack vectors, review what happened recently with Ambient Finance, and discuss our essential recommendations to defend against these types of attacks.

### **What Is DNS Hijacking?**

DNS hijacking occurs when attackers manipulate your domain's resolution process, redirecting users to malicious servers instead of legit ones. Think of it like a traditional phonebook, except one your neighbor’s tampered with—so users believe they're accessing your authentic platform, but they're actually interacting with a fraudulent site designed to capture sensitive information like private keys, passwords, or other sensitive credentials. Your users aren’t even calling the right area code, so to speak.

DNS hijacking is particularly dangerous for crypto due to its store of high value of digital assets. If an attacker successfully tricks users into entering their seed phrases or signing transactions on a malicious site, the impact could be catastrophic–and, worse, irreversible.

### **The 2024 Ambient Finance Attack: What We Know**

The [attack on decentralized finance (DeFi) protocol Ambient Finance in October 2024](https://cointelegraph.com/news/ambient-finance-frontend-hacked-team-warns-users-wait) serves as a sobering example. Through DNS hijacking, attackers redirected users to a malicious clone of the platform using the infamous malware suite Inferno Drainer. This incident highlighted a stark reality: in a space where transactions are, as we mentioned, irreversible and assets are ultra-liquid, a DNS hijacking attack can be just as devastating as a smart contract vulnerability.

In Ambient Finance’s case, users trusted their domain and interface without ever realizing they were interacting with a malicious site–giving the attackers an opening to drain multiple wallets in a blip. But they’re far from alone. [In August 2022, Curve Finance also suffered an exploit](https://cointelegraph.com/news/curve-finance-exploit-experts-dissect-what-went-wrong) to the tune of 600K+ USDC when attackers managed to clone their website and rerouted the DNS server to a fake page. Just a few months earlier in May 2022, [Mad Meerkat Finance had the front-end of its DEX compromised with a staggering $2M in losses](https://cryptobriefing.com/cronos-defi-project-mm-finance-suffers2m-exploit/).

In a perfect world, users would ultimately be responsible for every transaction they sign, but the reality is that it’s difficult to validate that the smart contract they’re interacting with belongs to said protocol just from the wallet user interface. Even successfully validating these addresses (often buried in docs/GitHub) might not prevent every attack, though it’s a solid first step. And since one successful attack can reverberate as reputational damage for months—and even years—after, we’d all be a lot smarter to be proactive about protecting users. As we’ve seen, any project can be vulnerable, and the price paid can be devastating—either in currency or reputation.

### **Attack Vectors in DNS Hijacking**

There are several key techniques attackers use to execute DNS hijacking attacks. Each presents unique risks that crypto projects need to understand and mitigate:

**1. DNS Cache Poisoning**

Attackers exploit vulnerabilities to inject false information into DNS caches, redirecting legitimate queries to malicious sites. Who can be affected? Exchanges and crypto wallets that rely on a Web2 interface for users to interact with smart contracts—all of which can lead to significant fund loss in this attack vector.

**2. Man-in-the-Middle (MITM) Attacks**

Bad actors actively intercept DNS requests and responses to inject malicious payloads and exploit known vulnerabilities within an organization's infrastructure. They swap the correct IP address with an IP address of their choosing that’s tied to their malicious server. When users are interacting with wallets or decentralized exchanges and unknowingly seeing data altered in real time, this threat is 10X’d. One way to mitigate this risk is by using HTTPS for your app.

**3. Domain Registrar Hijacking**

Attackers gain unauthorized access to domain registrar accounts, allowing them to modify DNS records and redirect traffic to servers under their control. How might they do this? By phishing for admin accounts, social engineering support, accessing registrar insiders, or straight up committing identity theft. One of our authors has even personally seen a power of attorney issued on a forged passport in the name of a company’s CEO. So the threat can come from virtually anywhere. It all comes down to how you’re managing domain access, and the level of your corporate security and access controls ([Okta](https://www.okta.com/) is great for this). For projects with widely recognized domains, this kind of attack can severely or irreparably damage reputation and trust. Plus users, developers, and stakeholders who rely on the domain may unknowingly expose themselves to phishing or wallet theft.

**4. DNS Misconfiguration Exploitation**

At a localized level, attackers compromise a user’s router by exploiting common DNS setup errors, such as: incorrect DNS records containing typos, stale records pointing to expired resources (more on this below), and non-resolvable domains due to improper configuration. Though targeting individuals rather than projects, it’s the same fake out: routing users to a website or dApp dupe. As digital investors and traders rise—especially those using self-custodial wallets–router-level hijacking becomes a more pernicious threat for large-scale losses.

**5. Stale DNS Records**

One of the more common attacks, subdomain attacks exploit misconfigured or abandoned subdomains of legitimate crypto projects to target broad user groups instead of individuals. When projects set up subdomains for specific purposes—testnet interfaces, documentation sites, staging environments—and later deprovision them without properly removing the DNS records, they leave behind digital breadcrumbs. Attackers actively scan for these “unlocked doors” to your infrastructure, then claim these subdomains through readily available cloud service providers or hosting platforms. Boom, they now control what appears to be an official domain. Additionally, attackers may take over SPF records, which allows them to send emails on behalf of the domain. These types of attacks exploit the implicit trust users place in subdomains of known projects—assuming addresses like 'docs.protocol.com' or 'app.protocol.com' are organically part of the project infrastructure. Attackers weaponize this trust to launch malicious frontend interfaces or phishing sites that appear very much official, risking significant asset losses.

Each of these techniques is dangerously sneaky: they allow attackers to covertly redirect users while maintaining the appearance of legitimate domain names, which makes them that much more difficult to detect.

### **The DNS Hijacking Protection Playbook**

For crypto projects, securing both Web2 and Web3 components is essential to guard against loss. Specifically, mitigating the risk of DNS hijacking requires a multi-faceted approach. Here are a few of our best practices we recommend that every crypto project adopt:

![The DNS Hijacking Protection Playbook V2.png](https://gist.github.com/user-attachments/assets/c490b3fb-bb1e-4156-8db6-a164927c6a83)

### **Who Do You Trust?**

The Ambient Finance hack just this month serves as a great wake up call to prioritize Web2 security alongside smart contract security. Though more foundational than the exciting intricacies of smart contract vulnerabilities, DNS hijacking can disrupt just as easily—and with dire consequences. We feel strongly that protecting your users from these kinds of attacks should be at the core of your security strategy.

Understanding the various DNS hijacking vectors is a key first step, but what you do about it is everything. Robust protective measures like monitoring DNS changes, using reputable domain registrars, and enforcing strong 2FA protocols will go a long way to helping you defend your project from catastrophic losses. You simply can’t let an overlooked and under-the-radar Web2 vulnerability compromise what you’ve built. In crypto, trust rules them all. So, who do you trust?

If you're interested in fortifying your security posture, [reach out to our team](https://cantina.xyz/contact) to learn more about what solutions Cantina can provide to help. 

### Co-Authors

Thank you to our co-authors for contributing their formidable expertise.

Morgan Roman, Application Security, Uniswap Labs

[Anto Joseph // Security Engineer, EigenLayer](https://x.com/blocksek)

[Anton Astafiev // VP Security, Matter Labs](https://x.com/_bendersgreat_?lang=en)

A Guide To Prevent DNS Hijacking For Web3