Connect with us

Hi, what are you looking for?


Identity & Access

Expired Domain Allowed Researcher to Hijack Country’s TLD

A researcher claimed last week that he managed to take control of the country code top-level domain (ccTLD) for the Democratic Republic of Congo after an important domain name was left to expire.

A researcher claimed last week that he managed to take control of the country code top-level domain (ccTLD) for the Democratic Republic of Congo after an important domain name was left to expire.

Before the holidays, Fredrik Almroth, founder and researcher at web security company Detectify, decided to analyze the name server (NS) records used by all TLDs. These NS records specify the servers for a DNS zone.

He noticed that a domain named, which had been listed as a name server for .cd, the TLD for Congo, had been left to expire. Almroth realized that the domain could be highly valuable to a bad actor so he quickly acquired it himself to prevent abuse.

The remaining name servers managing the .cd TLD belonged to South African Internet eXchange (SAIX), which kept the TLD operational. However, gaining control over the domain could have still allowed a malicious actor to hijack half of the DNS traffic for .cd websites.

Congo TLD cd name servers

Almroth believes the impact could have been significant considering that the African country has a population of approximately 90 million people, as well as the fact that many international organizations have a .cd website.

The researcher noted that a threat actor could have redirected DNS traffic from legitimate sites to phishing or other malicious websites, they could have passively intercepted DNS traffic for surveillance purposes or data exfiltration, or they could have used it for fast fluxing, to hide malicious websites.

Hackers could have also abused this access for remote code execution on local networks, they could have taken control of the domains of high-profile organizations, or they could have launched DDoS attacks against a specific target. They could have also disrupted much of the TLD, Almroth said.

Advertisement. Scroll to continue reading.

In a blog post published last week, the researcher provided examples of how some of these attacks could have been carried out.

Almroth has been trying to return to its rightful owner and, in the meantime, name servers have been replaced with by the administrators of the TLD, who were notified by the researcher in early January.

“The potential implications for DNS hijacking of a ccTLD are widespread and have extreme negative consequences, especially if the attacker has bad intentions,” Almroth explained in his blog post. “This vulnerability affects more than a single website, subdomain, or even a single apex domain. All .cd websites, including those for major international companies, financial institutions, and other organizations that have a .cd domain in Africa’s second most populous country could have fallen victim to abuse, including phishing, MITM, or DDoS.”

Related: DHS Warns Federal Agencies of DNS Hijacking Attacks

Related: Ongoing DNS Hijacking Campaign Targets Gmail, PayPal, Netflix Users

Related: State-Sponsored Hackers Use Sophisticated DNS Hijacking in Ongoing Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...