Hackers Trick GoDaddy Employees in Operation Targeting Cryptocurrency Services

Cybercriminals were able to change the DNS settings of some cryptocurrency websites after tricking GoDaddy employees into providing them with access to customer accounts.

The incident happened earlier this month and affected an unknown number of the company’s customers, including at least two cryptocurrency-related websites: the virtual currency trading site Liquid and crypto-mining service NiceHash.

On November 18, both services announced that threat actors were able to breach their internal systems after GoDaddy incorrectly handed over control of their accounts.

Liquid CEO Mike Kayamori revealed that the incident took place on November 13, and that the threat actor was provided with the “ability to change DNS records and in turn, take control of a number of internal email accounts.”

Thus, the malicious actor compromised the trading platform’s infrastructure and even gained access to document storage. The platform said it took the necessary steps to contain the attack immediately after identifying it, as well as to “prevent further intrusions and to mitigate risk to customer accounts and assets.”

“Having contained the attack, reasserted control of the domain, and performed a comprehensive review of our infrastructure, we can confirm client funds are accounted for, and remain safe and secure. MPC-based and cold storage crypto wallets are secured and were not compromised,” Kayamori said.

NiceHash announced that a service outage on November 18 was caused by the same GoDaddy issues, and that, “as a result of unauthorized access to the domain settings, the DNS records for the NiceHash.com domain were changed.”

The company immediately froze all wallet activity and restored its service after ensuring that funds were safe and users had access to their wallets. Withdrawals were suspended pending the results of an internal audit into the incident.

“At this moment in time, it looks like no emails, passwords, or any personal data were accessed but we do suggest resetting your password and activate 2FA security,” the company said last week.

Looking into the incident, investigative journalist Brian Krebs discovered that threat actors leveraged social engineering to trick GoDaddy employees into transferring access to specific accounts, and that all of the targeted accounts had their emails changed to point to privateemail.com.

In addition to Liquid and NiceHash, cryptocurrency platforms that might have been targeted by the same hacking group include Bibox.com, Celsius.network, and Wirex.app.

GoDaddy appears to have acknowledged the incident, saying that only a small number of customers were affected, but without providing information on how the adversaries targeted its employees.

SecurityWeek has emailed GoDaddy for additional information on the attack and will update the article as soon as a reply arrives.

Related: GoDaddy Notifies Customers of Data Breach

Related: Twitter Hack: 24 Hours From Phishing Employees to Hijacking Accounts

Related: 2020 Rings in a New Era of Cyber Attacks – and it’s Getting Personal