The cryptocurrency ecosystem faced a significant security crisis on July 11, 2024, as multiple high-profile DeFi protocols fell victim to a coordinated DNS hijacking campaign. Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains all reported losing control of their official websites, with attackers redirecting traffic to wallet-draining phishing kits. With Bitcoin trading at $57,344 and Ethereum at $3,100, the stakes for users navigating these compromised platforms could not have been higher.
The Exploit Mechanics
The attack vector exploited a critical weakness in the domain migration from Google Domains to Squarespace, which was completed in June 2024. When Squarespace acquired Google Domains and migrated customer accounts, multi-factor authentication was disabled as a technical measure to prevent administrators from being locked out during the transition. This created a window of vulnerability that sophisticated threat actors quickly identified and exploited.
According to a security advisory published by researchers from Paradigm and Metamask, the attackers leveraged previously stolen or leaked credentials to access domain admin panels. Without MFA as a barrier, the login process required only a username and password — credentials that had been circulating in data breaches for months or even years. Once inside, the attackers modified DNS records to point legitimate domain names to their own malicious servers.
The phishing kits deployed on these hijacked domains were remarkably sophisticated. They mimicked the legitimate interfaces of Celer Network, Compound Finance, and Pendle Finance with near-perfect accuracy, making it virtually impossible for an average user to distinguish the fake site from the real one. The primary goal was to trick users into connecting their wallets, at which point the malicious smart contracts would drain funds through automated transaction signing.
Affected Systems
The scope of the attack was particularly alarming because of the caliber of the targeted platforms. Celer Network, a major cross-chain bridge protocol, issued the first public warning on July 11, alerting the community that its domain had been compromised. Compound Finance, one of the oldest and most trusted DeFi lending protocols, confirmed shortly after that its domain had also been hijacked.
Pendle Finance, a yield-trading protocol that had seen significant growth in 2024, and Unstoppable Domains, a blockchain naming service, rounded out the confirmed victims. All four platforms had one thing in common: their domains had been migrated from Google Domains to Squarespace during the June transition period.
Beyond the immediate website compromises, researchers warned that the attackers could have also hijacked MX records for email servers associated with these domains. This would have given them the ability to intercept password reset emails, two-factor authentication codes, and other sensitive communications — potentially enabling deeper penetration into organizational infrastructure.
The Mitigation Strategy
The response to the crisis was swift and community-driven. Cryptocurrency experts immediately compiled lists of domains hosted on Squarespace and published them on GitHub, warning users to avoid accessing these sites until administrators confirmed they had secured their domains and re-enabled MFA. The security research team from Paradigm and Metamask published a detailed PDF advisory outlining the attack methodology and recommended countermeasures.
Domain administrators were advised to immediately review their Squarespace accounts, change all passwords, remove any unauthorized users with access to DNS records, revert any recent DNS changes, and re-enable multi-factor authentication. The incident also prompted broader discussions about the dangers of centralized domain registration for decentralized projects.
Lessons Learned
This incident laid bare a fundamental tension in the cryptocurrency space: while the protocols themselves may be decentralized and secure, the infrastructure used to access them — domain names, DNS servers, hosting providers — remains stubbornly centralized and vulnerable. The Squarespace migration created a systemic risk that affected multiple unrelated projects simultaneously, demonstrating how a single point of failure in the traditional internet infrastructure can cascade across the entire DeFi ecosystem.
The attack also highlighted the importance of defense-in-depth strategies. Projects that had implemented additional security measures beyond standard DNS configuration — such as content security policies, subresource integrity checks, and browser-extension-based verification — were better positioned to protect their users even when their domains were compromised.
User Action Required
For users who interacted with Celer Network, Compound Finance, Pendle Finance, or Unstoppable Domains around July 11, 2024, immediate action is recommended. Review wallet transaction histories for any unauthorized approvals, particularly unlimited token allowances to unknown contracts. Revoke any suspicious approvals using tools like Revoke.cash or Etherscan token approval checkers. If you entered a seed phrase or private key on any of these sites during the attack window, immediately transfer all assets to a new wallet. Moving forward, always verify website authenticity through multiple channels before connecting a wallet or signing transactions.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals before making decisions about your digital assets.
squarespace acquired millions of domains from google and nobody in the crypto space audited their registrar security until wallets were already draining. due diligence is always retrospective
the real lesson is checking your own DNS registrar settings before a migration happens. Celer and Compound had weeks to move registrars after the Google Domains announcement. nobody did
paradigm and metamask researchers dropping the advisory before Squarespace even acknowledged the issue. tells you everything about who actually protects users in this space
wallet drainer phishing kits were live within hours of the DNS takeover. these werent opportunists, they were pre-positioned
pre-positioned and waiting for the migration window. this wasnt some script kiddie operation, the timing was surgical
BTC at 57K and ETH at 3100. imagine checking compound finance and getting wallet drained because your DNS provider forgot to enable MFA. layers of failure
the fact that this was preventable is what gets me. disabling MFA as a technical measure during migration is negligent
disabling MFA during migration is like removing the locks from your house because the new tenant might lose their keys. absurd logic
squarespace response was basically we are aware and investigating while wallets were being drained in real time. peak corporate crisis management
squarespace had one job after acquiring google domains and they fumbled the security handoff. corporate crisis management indeed
the cascading failures here are wild. ISP credentials leak -> MFA disabled during migration -> DNS changed -> phishing kit live. each layer assumed the other was secure
dns_oracle each layer assumed the other was secure is the perfect summary. defense in depth only works if every layer actually has defenses