Disclaimer: Information found on CryptoreNews is those of writers quoted. It does not represent the opinions of CryptoreNews on whether to sell, buy or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk.
CryptoreNews covers fintech, blockchain and Bitcoin bringing you the latest crypto news and analyses on the future of money.
Balancer attributes website takeover to ‘social engineering attack’ involving DNS provider.
The Balancer team, which operates an Ethereum-based automated market maker, suspects that a social engineering attack on its DNS service provider resulted in the compromise of its website frontend on September 19, leading to an estimated theft of $238,000 in cryptocurrency.
“Following our investigation, it is evident that this incident was a social engineering attack targeting EuroDNS, the domain registrar for .fi TLDs,” the company stated in a post on X on September 20.
About eight hours after the initial alert regarding the attack, Balancer reported that its decentralized autonomous organization (DAO) was actively responding to the DNS breach and was working on restoring the Balancer user interface.
At 5:45 PM UTC on September 20, Balancer announced that it had successfully secured the domain and regained control for Balancer DAO. It also confirmed that its subdomains “app.balancer.fi” and other “balancer.fi” domains are safe for use once more.
Following our investigation, it is evident that this incident was a social engineering attack targeting EuroDNS, the domain registrar for .fi TLDs.
We are considering deprecating the .fi TLD to transition to a more secure registrar and recommend that other projects utilizing this TLD do the same.
[2/2]— Balancer (@Balancer) September 20, 2023
However, it advised other projects using the same top-level domain to contemplate switching to a more secure registrar.
EuroDNS is a domain name registrar and DNS service provider based in Luxembourg. Cointelegraph has reached out to EuroDNS for a statement.
Angel Drainer Involved
Blockchain security firms SlowMist and CertiK reported that the attacker utilized Angel Drainer phishing contracts.
Related Posts
SlowMist indicated that the exploiters targeted Balancer’s website through Border Gateway Protocol hijacking, a method where hackers gain control of IP addresses by manipulating internet routing tables.
The attackers then prompted users to “approve” and transfer funds using the “transferFrom” function to the Balancer exploiter, as explained.
Related: Breaking: ‘All funds are at risk’ — Steadefi exploited in ongoing attack
The hacker, whom SlowMist suspects may have ties to Russia, has already bridged some of the stolen Ether (ETH) to Bitcoin (BTC) addresses via THORChain before ultimately bridging the ETH back to Ethereum, as detailed by blockchain security firm SlowMist on September 20.
SlowMist previously stated that the hacker transferred approximately 15 wrapped-Ether (wETH.e) on the Avalanche blockchain.
Balancer Hack Update
So far, we have the following findings about the @Balancer exploiter:
1/ The attacker’s fee originated from the phishing group #AngelDrainer. In other words, after the attacker (AngelDrainer) compromised the website via BGP hijacking, they then induced users to… https://t.co/5g6P2aPEz8 pic.twitter.com/3PInfe9VC1— MistTrack️ (@MistTrack_io) September 20, 2023
Meanwhile, despite Balancer confirming that its subdomains and balancer.fi are now secure, attempts to access the Balancer website still display a “Deceptive site ahead” warning.
Balancer’s website as of September 20 at 10:22 PM UTC. Source: Balancer.
Cointelegraph reached out to Balancer to verify the amount of funds lost but did not receive an immediate reply.
Magazine: $3.4B of Bitcoin in a popcorn tin: The Silk Road hacker’s story
