## Understanding the Curve Finance DNS hijacking
_On May 12, 2025, at 20:55 UTC, hackershijacked the &#8220;.fi&#8221; domain name system 
(DNS) of Curve Finance after managing to access the registrar. They began 
sending its users to a malicious website, attempting to drain their wallets. 
This was the second attack on Curve Finance&#8217;s infrastructure in a week._
Users were directed to a website that was a non-functional decoy, designed 
only to trick users into providing wallet signatures. The hack hadn&#8217;t breached 
the protocol&#8217;s smart contracts and was limited to the DNS layer.
The DNS is a critical component of the internet that functions like a 
phonebook. It allows you to use simple, memorable domain names (such as 
facebook.com) instead of complex numerical IP addresses (like 192.168.1.1) for 
websites. DNS converts these user-friendly domain names into the IP addresses 
computers require to connect.
This is not the first time Curve Finance, a decentralized finance (DeFi) 
protocol, has suffered such an attack. Back in August 2022, Curve Finance 
faced an attack with similar tactics. The attackers had cloned the Curve 
Finance website and interfered with its DNS settings to send users to a 
duplicate version of the website. Users who tried using the platform ended up 
losing their money to the attackers. The project was using the same registrar, 
&#8220;iwantmyname,&#8221; at the time of the previous attack.
## How attackers execute DNS hijacking in crypto
_When a user types a web address, their device queries a DNS server to 
retrieve the corresponding IP address and connect to the correct website. In 
DNS hijacking, fraudsters interfere with this process by altering how DNS 
queries are resolved, rerouting users to malicious sites without their 
knowledge._
Fraudsters execute DNS hijacking in several ways. Attackers might exploit 
vulnerabilities in DNS servers, compromise routers, or gain access to domain 
registrar accounts. The objective is to change the DNS records so that a user 
trying to visit a legitimate site is redirected to a fake, lookalike page 
containing wallet-draining code.
Types of DNS hijacking include:
 * **Local DNS hijack:** Malware on a user&#8217;s device changes DNS settings, redirecting traffic locally. 
 * **Router hijack:** Attackers compromise home or office routers to alter DNS for all connected devices. 
 * **Man-in-the-middle attack:** Intercepts DNS queries between user and server, altering responses on the fly. 
 * **Registrar-level hijack:** Attackers gain access to a domain registrar account and modify official DNS records, affecting all users globally.
_**Did you know?** During the Curve Finance DNS attack in 2023, users 
accessing the real domain unknowingly signed malicious transactions. The back 
end was untouched, but millions were lost through a spoofed front end._
## How DNS hijacking worked in the case of Curve Finance
**When attackers compromise a website with DNS hijacking, they can reroute 
traffic to a malicious website without the user &#8216;s knowledge. **
There are several ways DNS hijacking can occur. Attackers might infect a 
user&#8217;s device with malware that alters local DNS settings, or they may gain 
control of a router and change its DNS configuration. They may also target DNS 
servers or domain registrars themselves. In such cases, they modify the DNS 
records at the source, affecting all users trying to access the site.
In the case of Curve Finance, the attackers infiltrated the systems of the 
domain registrar &#8220;iwantmyname&#8221; and altered the DNS delegation of the 
&#8220;curve.fi&#8221; domain to redirect traffic to their own DNS server.
A domain registrar is a company authorized to manage the reservation and 
registration of internet domain names. It allows individuals or organizations 
to claim ownership of a domain and link it to web services like hosting and 
email.
The precise method of the breach is still under investigation. By May 22, 
2025, no evidence of unauthorized access or compromised credentials was found.
_**Did you know?** DNS hijacking attacks often succeed by compromising domain 
registrar accounts through phishing or poor security. Many Web3 projects still 
host domains with centralized providers like GoDaddy or Namecheap. _
## How Curve Finance responded to the hack
_While the registrar was slow to respond, the Curve team took measures to deal 
with the situation. It successfully redirected the &#8220;.fi&#8221; domain to neutral 
nameservers, thus taking the website offline while efforts to regain control 
continued. _
To ensure safe access to the frontend and secure fund management, the Curve 
team quickly launched a secure alternative at &#8220;curve.finance,&#8221; now serving as 
the official Curve Finance interface temporarily.
Upon discovering the exploit at 21:20 UTC, the following actions were taken:
 * Users were immediately notified through official channels 
 * Requested the takedown of the compromised domain 
 * Initiated mitigation and domain recovery processes 
 * Collaborated with security partners and the registrar to coordinate a response.
Compromise of the domain notwithstanding, the Curve protocol and its smart 
contracts remained secure and fully operational. During the disruption of the 
front end, Curve processed over $400 million in onchain volume. No user data 
was at risk, as Curve&#8217;s front end does not store any user information.
Throughout the compromise, the Curve team was always available through its 
Discord server, where users could raise issues with them.
After implementing immediate damage control measures, the Curve team is now 
taking additional steps to prepare for the future.
 * Assessing and enhancing registrar-level security, incorporating stronger protections and exploring alternative registrars 
 * Investigating decentralized front-end options to eliminate dependence on susceptible web infrastructure 
 * Partnering with the broader DeFi and Ethereum Name Service (ENS) communities to advocate for native browser support for &#8220;.eth&#8221; domains.
_**Did you know?** Unlike smart contract exploits, DNS hijacks leave no trace 
onchain initially, making it hard for users to realize they have been tricked 
until funds are gone. It is a stealthy form of crypto theft._
## How crypto projects can deal with DNS hijacking vulnerability
_The Curve Finance attack is concerning because it bypassed the decentralized 
security mechanisms at the protocol level. Curve &#8216;s backend, meaning its smart 
contracts and onchain logic, remained unharmed, yet users lost funds because 
they were deceived at the interface level. This incident underscores a 
significant vulnerability in DeFi. _
While the backend may be decentralized and trustless, the front end still 
depends on centralized Web2 infrastructure like DNS, hosting and domain 
registrars. Attackers can exploit these centralized choke points to undermine 
trust and steal funds.
The Curve attack serves as a wake-up call for the crypto industry to explore 
decentralized web infrastructure, such as InterPlanetary File System (IPFS) 
and Ethereum Name Service (ENS), to reduce reliance on vulnerable centralized 
services.
To address the gap between decentralized backends and centralized frontends, 
crypto projects must adopt a multi-layered approach.
Here are various ways crypto projects can deal with this gap:
 * Minimize reliance on traditional DNS: They can minimize reliance on traditional DNS by integrating decentralized alternatives of DNS like the ENS or Handshake, which reduce the risk of registrar-level hijacks. 
 * Use decentralized file storage systems: Hosting frontends on decentralized file storage systems such as IPFS or Arweave adds another layer of protection. 
 * Implement domain name system security extensions (DNSSEC): Teams should implement DNSSEC to verify the integrity of DNS records and prevent unauthorized changes. 
 * Secure registrar accounts: Registrar accounts must be secured with strong authentication methods, including multifactor authentication (MFA) and domain locking. 
 * Train users: Educating users to verify site authenticity, such as bookmarking URLs or checking ENS records, can reduce phishing success rates. 
Bridging the trust gap between decentralized protocols and centralized 
interfaces is essential for maintaining security and user confidence in DeFi 
platforms.

What is DNS hijacking? How it took down Curve Finance’s website

Animoca Brands chairman Yat Siu told Consensus Miami 2026 that the metaverse 
is over as a consumer destination, and that 100 billion AI agents will become 
blockchain&#8217;s primary users. Animoca Brands chairman Yat Siu told Consensus 
Miami 2026 on Thursday…

Why Yat Siu rejects the metaverse

Prediction markets closed out Consensus Miami 2026 as the subject of a live 
debate on whether they are regulated financial derivatives or gambling 
products operating outside state law. Prediction markets closed out Consensus 
Miami 2026 on Thursday as the subject…

Kalshi denies prediction markets are gambling products

The leading prediction market closed its Series F funding round, led by 
Coatue, to reach institutions, which are Kalshi’s next target audience. The 
move comes as the company reported an astounding rise in annualized volume, 
going from $52 billion to $178 billion over the last six months. Kalshi Closes 
Series F Funding Round, Reaches $22 […]

Kalshi Hits $22 Billion Valuation After Massive $1 Billion Series F Funding Round

A crypto analyst has identified a multi-year Cup and Handle pattern on the 
Bitcoin (BTC) chart that he says has gone largely unnoticed by the broader 
market, despite its significance. The analyst believes this single formation 
signals a major bull trend ahead for Bitcoin, projecting a minimum price 
target of $220,000 once the cryptocurrency begins its parabolic move. 
Bitcoin’s Roadmap To A $220,000 Price Target Market analyst Crypto Tice has 
announced that Bitcoin has completed a Cup and Handle pattern that had been 
forming for years. In an X post, the expert clearly outlined the formation on 
a chart, displaying a rounded U-shaped curve that marks the Cup portion of the 
pattern. This is followed by a handle positioned just above it, defined by 
upper and lower trendlines that sit parallel to each other. Related Reading: 
Ripple’s $12.5 Trillion Claim: How Does XRP Fit Into 13,000 Banks? The 
emergence of a Cup and Handle pattern is often seen as a bullish indicator, as 
it signals that a cryptocurrency may be getting ready to break above 
resistance and extend its uptrend. Notably, Crypto Tice revealed that Bitcoin 
has already broken above a resistance zone of its Cup and Handle pattern, 
reinforcing his bullish stance. The analyst identified this key resistance 
between $62,000 and $74,000, noting that Bitcoin has also cleanly retested 
this area after its recent surge above $80,000. According to Crypto Tice, this 
successful retest has confirmed the overall structure, setting the stage for a 
potential continuation to the upside. Given the strength of these formations, 
Crypto Tice made clear that Cup and Handle patterns do not signal modest moves 
like a 20% rally. Rather, they have historically preceded gains in the 
hundreds of percent, suggesting that a massive price surge could be on the 
horizon for Bitcoin. The analyst predicts that Bitcoin’s next launch phase 
points toward a minimum upper price target of $220,000. This means he expects 
the cryptocurrency to rally even higher if its bullish momentum persists after 
it hits the initially projected high. From its current price above $80,000, 
this would represent a potential gain of more than 171% for Bitcoin. Analyst 
Maps Out Bitcoin’s Potential Rally To $500,000 In a separate analysis, Crypto 
Tice shared a longer-term outlook for Bitcoin, projecting a massive price 
surge to $500,000. He outlined a clear roadmap showing how the BTC price could 
reach this ambitious target. Related Reading: Bitcoin Has Entered Its ‘Most 
Dangerous Quarter,’ And This Expert Is Warning Investors The analyst pointed 
to an ascending channel on the Bitcoin chart, defined by two parallel straight 
lines. The channel shows that Bitcoin previously experienced a parabolic rally 
after completing three distinct moves, which Crypto Tice identified as a 
“first touch” of a support level, “a midrange rally,” and a “rejection back to 
support.” Now, the analyst believes that Bitcoin has completed the same three 
moves within the current channel, reinforcing his bullish stance. He added 
that Bitcoin is also currently sitting at the second support touch, likely 
preparing to launch its next bull trend, with a potential price target of 
$500,000 in sight. Featured image from Dall.E, chart from TradingView.com

Analyst Sets $220,000 Minimum Price Target For Bitcoin, But How Will It Get There?

Two affiliates of the crypto-backed PAC Fairshake reported media buys for 
political candidates in Georgia, Alabama, Nebraska, Kentucky and Texas this 
week.

What is DNS hijacking? How it took down Curve Finance’s website

Comments