Polygon, Fantom Suffers DNS Attack

Polygon’s Chief Information Security Officer, Mudit Gupta announced on Friday, that Ankr, its network’s Node infrastructure provider suffered a domain name system (DNS) attack.

Public RPC gateway provided by Ankr for Polygon (https://t.co/NEQW6sEUKe) and Fantom (https://t.co/apZkmh2ERA) were comprised via DNS hijack earlier today.

Polygon and Fantom foundation have no control over services provided by others.

Use Alchemy or others while this is fixed.

— Mudit Gupta (@Mudit__Gupta) July 1, 2022

The attackers were able to hijack the RPCs of two crypto-related platforms, Polygon and Fantom. According to available information, the hackers could be looking to deviously trick users to provide information about wallet seed phrase.

RPCs are a type of software communication tool used to transfer data between networks.

Ankr revealed that it was working on the issues raised by the community members while advising them to use other RPCs as an alternative to the compromised ones.

A tweet update from Ankr cofounder Chandler Song revealed that the hack was “caused by @gandibar changing their customers’ email addresses without their approval.”

Actually this is caused by @gandibar changing their customers' email addresses without their approval.

— Chandler Song (@chandlersyf) July 1, 2022

Gandibar is a popular domain name registrar.

Sandeep, Polygon co-founder, confirmed that its users’ funds were safe while also advising them to use other RPC providers like Infura and others.

GM,

1. Polygon POS RPC provided by @0xPolygon Infra provider @ankr were compromised by DNS hack. Currently Being resolved.

2. You can use any other RPC provider like @infura_io @AlchemyPlatform etc

3. Polygon POS chain is running perfectly fine

4. ALL USER FUNDS ARE SAFE https://t.co/8duSW4dTuN

— Sandeep | Polygon 💜🔝3️⃣ (@sandeepnailwal) July 1, 2022

Polygon Attackers Asked For Seed Phrase

Available details indicated that users of the compromised RPC received an error message directing them to immediately transfer their funds to another platform with the address: polygonapp[.]net.

Through this, they get transferred to an entirely different page asking for their seed phrase.

Malicious players are always devising new methods and plans on how to defraud unsuspecting individuals. Earlier today, the U.S. Department of Justice indicted six individuals for their roles in various crypto crimes.

Other Crypto Projects Suffered Similar Attacks

Notably, a similar DNS attack happened on June 24 with several DeFi projects being hijacked. Some of the affected projects here were Convex Finance, Ribbon Finance, Allbridge, and DeFisaver.

So far 4 #ethereum DeFi projects experienced a DNS hijack attack.@ConvexFinance @ribbonfinance @DeFiSaver and Allbridge.

They are all using @Namecheap and logged into their accounts to see DNS changed. So far namecheap has provided no explanation.@Namecheap this is serious pic.twitter.com/KD9w8GJAgp

— Lefteris Karapetsas | Hiring for @rotkiapp (@LefterisJP) June 24, 2022

According to available information on that attack, the affected projects were all using Namecheap as their domain registrar.

We've traced this down to a specific CS agent that was either hacked or compromised somehow and have removed all access from this agent. This affected a few targeted domains but we will continue investigating.

— Richard Kirkendall (@NamecheapCEO) June 24, 2022

A tweet from Richard Kirkendall, the CEO of Namecheap, revealed that the attack was traced to a “specific CS agent that was either hacked or compromised,” however, the firm has “removed all access from this agent.”