Cointelegraph
DOGE$0.07393 0.95%
TRX$0.3300 0.63%
LINK$7.91 1.68%
ZEC$499.26 2.44%
ADA$0.1668 0.06%
XRP$1.10 0.42%
ETH$1,788.61 1.91%
BTC$63,873.88 0.85%
XMR$322.45 0.94%
BNB$576.43 0.62%
XLM$0.1904 3.34%
SOL$77.68 0.69%
HYPE$67.74 0.31%
Written by Brayden Lindreastaff writerReviewed by Felix Ngstaff editor

Balancer blames ‘social engineering attack’ on DNS provider for website hijack

Latest NewsPublishedSep 21, 2023

Blockchain security firms SlowMist and CertiK also believe the crypto wallet drainer, Angel Drainer, was involved in the estimated $238,000 exploit.

balancer-social-engineering-attack-dns-provider-frontend-hijack

The team behind Balancer, an Ethereum-based automated market maker, believes a social engineering attack on its DNS service provider was what led to its website’s front end being compromised on Sept. 19, leading to an estimated $238,000 in crypto stolen.

“After investigation, it is clear that this was a social engineering attack on EuroDNS, the domain registrar used for .fi TLDs,” the firm explained in a Sept. 20 X post.

Approximately eight hours after the first warning of the attack, Balancer said its decentralized autonomous organization (DAO) was actively addressing the DNS attack and was working to recover the Balancer UI.

At 5:45 pm UTC on Sept. 20, Balancer said it was successful in securing the domain and bringing it back under the control of Balancer DAO. It also confirmed its subdomains “app.balancer.fi” and “balancer.fi” are safe to use again.

After investigation it is clear that this was a social engineering attack on EuroDNS, the domain registrar used for .fi TLDs.

We are exploring deprecating the .fi TLD in order to move to a more secure registrar and suggest that other projects using the TLD do the same.

[2/2]— Balancer (@Balancer) September 20, 2023

However, it suggested any other projects using the same top-level domain should consider moving to a more secure registrar.

EuroDNS is a Luxembourg-based domain name registrar and DNS service provider. Cointelegraph has reached out to EuroDNS for comment.

Angel Drainer involved

Blockchain security firms SlowMist and CertiK reported that the attacker employed Angel Drainer phishing contracts.

SlowMist said the exploiters attacked Balancer’s website via Border Gateway Protocol hijacking — a process where hackers take control of IP addresses by corrupting internet routing tables.

The hackers then induced users to “approve” and transfer funds via the “transferFrom” function to the Balancer exploiter, it explained.

Related: Breaking: ‘All funds are at risk' — Steadefi exploited in ongoing attack

The hacker, whom SlowMist believes may be related to Russia, has already bridged some of the stolen Ether (ETH) to Bitcoin (BTC) addresses via THORChain before eventually bridging the ETH back to Ethereum, blockchain security firm SlowMist explained on Sept. 20.

SlowMist stated in an earlier post that the hacker transferred about 15 wrapped-Ether (wETH.e) on the Avalanche blockchain.

Balancer Hack Update

So far, we have the following findings about the @Balancer exploiter:

1/ The attacker’s fee came from the phishing group #AngelDrainer. In other words, after the attacker (AngelDrainer) attacked the website via BGP hijacking, then induced users to… https://t.co/5g6P2aPEz8 pic.twitter.com/3PInfe9VC1— MistTrack️ (@MistTrack_io) September 20, 2023

Meanwhile, despite Balancer confirming its subdomains on “balancer.fi” to now be safe, the “Deceptive site ahead” warning still appears when attempting to access Balancer’s website.

Balancer’s website as of Sept. 20 at 10:22 pm UTC. Source: Balancer.

Cointelegraph reached out to Balancer to confirm the amount of funds lost, but did not receive an immediate response.

Magazine: $3.4B of Bitcoin in a popcorn tin: The Silk Road hacker’s story

1 minute letter

Subscribe to daily byte-sized crypto news from Cointelegraph

Subscribe
Cointelegraph is committed to independent, transparent journalism. This news article is produced in accordance with Cointelegraph’s Editorial Policy and aims to provide accurate and timely information. Readers are encouraged to verify information independently.

More on the subject