The July 2024 Squarespace DNS hijacking campaign that compromised domains belonging to Compound Labs, Pendle, and other prominent DeFi protocols served as a stark reminder that threat actors increasingly target the web infrastructure layer rather than smart contracts themselves. With over 200 cryptocurrency domains identified as potentially vulnerable, the attack highlighted systemic weaknesses in domain management practices across the industry. Bitcoin was trading at approximately $57,900 at the time, and Ethereum hovered around $3,134 — meaning any successful phishing redirect could have resulted in catastrophic losses for unsuspecting users.
The Threat Landscape
Domain hijacking has evolved from a niche attack vector into a primary weapon in the crypto attacker’s arsenal. The Squarespace incident was not an isolated event but part of a broader trend where attackers exploit weaknesses in registrar account security, social engineering against registrar support staff, and vulnerabilities introduced during corporate migrations and acquisitions. The Google Domains to Squarespace transition in 2023 created a uniquely exploitable situation: domains were automatically migrated, but the account creation process for claiming those domains on Squarespace’s platform lacked adequate identity verification. Attackers simply registered accounts with the domain-associated email addresses before the legitimate owners could, gaining full DNS control without triggering any alerts.
Core Principles
Effective domain security for cryptocurrency platforms rests on three pillars. First, registry lock services should be enabled on all critical domains — this adds a layer of verification that prevents unauthorized DNS changes even if an attacker gains account access. Second, multi-factor authentication must be mandatory for all registrar accounts, with hardware security keys preferred over SMS-based codes. Third, domain registrant information should be monitored continuously, with automated alerts configured for any changes to DNS records, WHOIS data, or account settings. No single measure is sufficient on its own, but together they create a defense-in-depth approach that significantly raises the cost and complexity for attackers.
Tooling and Setup
Teams should deploy DNS monitoring tools such as SecurityTrails, DNSdumpster, or cloud-based monitoring services that track record changes in near-real time. CelerNetwork’s experience during the July 12 attacks demonstrated the effectiveness of this approach — their 24/7 monitoring detected the unauthorized DNS modification within minutes, allowing their security team to restore records before any user funds were lost. For domain registrars, evaluate security posture before committing. Look for providers that offer two-factor authentication, registry locks, and detailed audit logs of all account activity. Avoid registrars that allow account creation or recovery without robust identity verification, as this was precisely the weakness exploited in the Squarespace campaign.
Ongoing Vigilance
Security is not a one-time configuration but a continuous process. Conduct quarterly reviews of domain registrar security settings, including MFA status, authorized contacts, and DNS record configurations. Implement a domain asset inventory that tracks all owned domains, their registrars, expiration dates, and associated security measures. Train team members on the risks of phishing attacks targeting registrar credentials and establish clear incident response procedures for suspected domain compromises. The Squarespace incident showed that even well-funded protocols can be caught off guard when infrastructure providers change their security posture without adequate notice.
Final Takeaway
The Squarespace DNS hijacks were a wake-up call for the entire crypto industry. As DeFi protocols grow in size and sophistication, attackers will continue to shift their focus to softer targets in the infrastructure layer. The protocols that survive and thrive will be those that treat domain security with the same rigor they apply to smart contract audits and key management. Do not wait for your domain to be hijacked before taking action — the tools and practices needed to prevent these attacks are available today.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making investment decisions.
registry lock is the single most underrated security measure for crypto projects. costs like 500 a year and prevents exactly this
attacking infrastructure layers instead of contracts is the new meta. why bother with smart contract auditing when you can just steal the domain
exactly this. the Squarespace migration auto-created accounts without proper verification. 200+ domains sitting there unprotected and nobody at either company thought about the implications
null_route_ the auto-account creation during migration was the real vulnerability. google domains sold the transfer as seamless. seamless into a hijacking pipeline more like
registry lock plus hardware 2FA on the registrar account. two things, maybe 600 bucks a year total. yet projects with 9 figure treasuries skip both
600 bucks a year to protect a treasury worth millions. the cost benefit analysis is absurd and yet here we are
secops_daily registry lock is cheap insurance but most teams dont even know it exists. the knowledge gap between security best practices and what DeFi protocols actually implement is staggering
the squerespace migration timeline analysis is thorough. they had months to fix the account creation flow and just didnt
months of warning and zero action. the google to squarespace migration was a known risk that both companies ignored
months of warning is the recurring theme in every crypto hack. MOVEit, Squarespace, the pattern is always the same. known vulnerability, zero action until funds disappear