On March 20, 2024, cryptocurrency bridge service Layerswap suffered a devastating domain hijacking attack that redirected users to a malicious phishing site, draining approximately $100,000 from around 50 wallets. The attackers compromised Layerswap’s GoDaddy account, seized control of the layerswap.io domain, and even attempted to take over the company’s Twitter account to prevent them from warning users. If you think your crypto is safe just because you use a hardware wallet, this incident shows that the attack surface extends far beyond the blockchain itself.
The Basics
Domain hijacking occurs when an attacker gains control of a website’s domain registration — the digital address that tells your browser where to find a website. In the crypto world, this is particularly dangerous because users routinely connect their wallets to websites for trading, staking, and bridging. When a legitimate domain is redirected to a malicious site, users may unknowingly connect their wallets to a fake interface that drains their funds.
In the Layerswap incident, the attacker gained access to the company’s GoDaddy account at approximately 19:40 UTC on March 20, 2024. The domain was redirected to a phishing site that looked identical to the real Layerswap interface. Users who visited the site and connected their wallets had their funds siphoned. The attack lasted until 23:07 UTC, when Layerswap finally regained control of the domain — nearly three and a half hours of exposure.
Why It Matters
Domain hijacking attacks are becoming more frequent and more sophisticated in the crypto space. Unlike smart contract exploits that target code vulnerabilities, domain attacks target the internet infrastructure layer — domain registrars, DNS servers, and hosting providers. These attacks can affect even the most security-conscious projects because they exploit weaknesses in third-party services rather than the project’s own code.
With Bitcoin trading near $65,491 and the total crypto market cap above $2.6 trillion, the financial incentives for these attacks have never been greater. A single successful domain hijack can net attackers hundreds of thousands of dollars in minutes. The Layerswap attack happened on the same day as the $1.8 million Dolomite Exchange hack and the $4.6 million Super Sushi Samurai exploit, illustrating the sheer volume of attack vectors targeting crypto users.
Getting Started Guide
Protecting yourself from domain hijacking attacks requires a multi-layered approach. Here are the essential steps every crypto user should follow:
Step 1: Verify URLs manually. Always type the URL of any crypto service directly into your browser rather than clicking links from emails, social media, or messaging apps. Bookmark the correct URLs for services you use regularly.
Step 2: Check for SSL certificates. Look for the padlock icon in your browser’s address bar and verify the domain name matches exactly. However, note that attackers can also obtain SSL certificates for hijacked domains, so this alone is not sufficient protection.
Step 3: Use browser extensions. Security-focused browser extensions like PocketUniverse or Wallet Guard can detect suspicious wallet connection requests and warn you before you interact with a potentially compromised site.
Step 4: Enable transaction simulations. Modern wallets like MetaMask offer transaction simulation features that show you what a transaction will do before you sign it. If a routine bridge or swap operation shows unusual token transfers, abort immediately.
Step 5: Set up hardware wallet limits. Use a hardware wallet for large holdings and set daily transaction limits where possible. This limits the damage even if you do connect to a malicious site.
Common Pitfalls
The most dangerous mistake is trusting a URL just because it looks familiar. Sophisticated attackers create convincing replicas of legitimate sites that can fool even experienced users. Another common pitfall is ignoring security alerts — when projects announce security incidents on social media, users should immediately stop interacting with the service until an all-clear is given. Finally, many users fail to revoke token approvals after using a service, leaving persistent access that can be exploited if the service is later compromised.
Next Steps
After the Layerswap incident, the company promised full refunds plus an additional 10% to affected users — a commendable response that not all projects would match. However, prevention is always better than hoping for reimbursement. Take time this week to audit your own crypto security practices: bookmark your frequently used services, install a wallet security extension, and review your active token approvals on tools like Revoke.cash or Etherscan’s token approval checker. The five minutes you spend on these precautions could save you from becoming the next victim of a domain hijacking attack.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any investment decisions.
this is why i use a separate hot wallet for every defi interaction. hardware wallet means nothing if you connect it to a hijacked domain
this. 50 wallets drained because someone did not enable proper 2FA on their registrar. $100k lesson for everyone else i guess
godaddy for a crypto project in 2024 is a choice. use a registrar with 2FA and registry lock, this is basic opsec
registry lock costs like $200/year and would have prevented this entire attack. layerswap had six figures in user funds but skipped the most basic domain protection
DNSSEC + registry lock should be mandatory for any project handling user funds. $200 a year to prevent a $100k drain and layerswap skipped it
layerswap handled the aftermath pretty well tbh. full reimbursement within 48 hours. but the damage to trust is harder to fix
50 wallets drained in minutes and it took the Twitter compromise for anyone to notice. monitoring failed at every level here
the attacker bridged stolen funds through deBridge and fixedfloat. the laundering path was faster than layerswap’s response time