Celsius GoDaddy DNS Hijacking

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 11:59, 2 May 2023 by Azoundria (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Celsius Network

Celsius Network suffered a DNS hijacking attack, where someone managed to successfully impersonate them to GoDaddy, and redirected the website to a malicious server. Due to the way that Celsius is set up, their site is not actually used to authorize any withdrawals, and the attacker did not use the opportunity to phish personal data from users or trick them into downloading a malicious application. This is because the attack was not primarily targeted at Celsius. While no funds were lost, this did cause the credibility of Celsius to be further questioned at the time.

This exchange or platform is based in United States, or the incident targeted people primarily in United States.[1][2][3][4][5][6][7][8][9]

About Celsius Network

"Celsius Network is a cryptocurrency loan company." "Celsius was founded in 2017 with the mission to harness blockchain technology to provide unprecedented financial freedom, economic opportunity, and income equality for the 99%." "Celsius Network Limited was incorporated on 9 February 2018."

"Celsius is proud to provide a platform of curated services that have been abandoned by big banks – things like fair interest, zero fees, and lightning quick transactions. Our goal is to disrupt the financial industry, one happy user at a time, and introduce financial freedom through crypto."

"Celsius is not a bank, depository institution, custodian or fiduciary and the assets in your Celsius account are not insured by any private or governmental insurance plan (including FDIC or SIPC), nor are they covered by any compensation scheme (including FSCS)."

"Using Farsight Security, a service which maps changes to domain name records over time, KrebsOnSecurity instructed the service to show all domains registered at GoDaddy that had alterations to their email records in the past week which pointed them to privateemail.com. Those results were then indexed against the top one million most popular websites according to Alexa.com."

"GoDaddy acknowledged that “a small number” of customer domain names had been modified after a “limited” number of GoDaddy employees fell for a social engineering scam."

“Separately, and unrelated to the outage, a routine audit of account activity identified potential unauthorized changes to a small number of customer domains and/or account information,” GoDaddy spokesperson Dan Race said. “Our security team investigated and confirmed threat actor activity, including social engineering of a limited number of GoDaddy employees.”

“We immediately locked down the accounts involved in this incident, reverted any changes that took place to accounts, and assisted affected customers with regaining access to their accounts,” GoDaddy’s statement continued. “As threat actors become increasingly sophisticated and aggressive in their attacks, we are constantly educating employees about new tactics that might be used against them and adopting new security measures to prevent future attacks.”

"Race declined to specify how its employees were tricked into making the unauthorized changes, saying the matter was still under investigation. But in the attacks earlier this year that affected escrow.com and several other GoDaddy customer domains, the assailants targeted employees over the phone, and were able to read internal notes that GoDaddy employees had left on customer accounts."

"[M]ore info from Alex at 42:21 on [an] interview. Admits Go Daddy had a problem. Will be interesting if they can ever share a proper timeline of events."

"There's no question that we should have announced a maintenance window earlier, that we should have communicated the possibility that there would be propagation... We didn't even think there was propagation, but there was. Again, these are actions that actually GoDaddy took, not that we took, that caused the propagation. And because GoDaddy detected some things internally that are related to them - not to us, they decided to lock down the account. Right, so they locked down our account. We didn't lock down our account. And when we reached out to them, normally, like as you know, when you reach out to them, they go back to you in an hour and so on."

"But something happened inside GoDaddy and that's why Uniswap was down and Liquid and a bunch of other sites were down. And so it's not just something that happened to Celsius, right. It happens that Celsius did maintenance on the DNS exactly at the same time, but something else was going on inside GoDaddy and we're waiting for them to tell us what and how and so on."

"But there's a big difference between us and Liquid and Uniswap and others and the difference is that there's nothing you can do on the Celsius site. You cannot put your password. You cannot withdraw coins. You cannot transact. You can't do anything there, right. It's just an informational site and everything that happens, happens on the blockchain and on our app which are completely separated and segregated from our website. So, because of that, everybody who's watching this can be assured that none of their information was compromised. Right, so again if you look at the point where BlockFi was compromised, right. Whereas everybody with where the hacker stole all of their passwords and all the names and all of the balances that people had, which was what was reported in CoinTelegraph and CoinDesk and so on. That was because that site accepted all that information and the hacker managed to get it through right."

"So there was definitely an event here. We should have informed people better. And the site was shut down because GoDaddy wanted to make sure that there was no hack, there was no penetration, there was no illicit activity. But there was definitely a brute force attempt on the celsius.network site, meaning somebody tried to break the password, go down and shut it down, because they had other things happening with other sites. And as you saw, Liquid had a problem and so on. They had a major problem, right. Celsius was didn't have any problem, because, again, there was nothing to steal. So that's the kind of, like the quick versions and we're still waiting for that report. And I hope to publicize it the minute we get it. Unless GoDaddy tells us you're not allowed to, we will publicize the report."

This exchange or platform is based in United States, or the incident targeted people primarily in United States.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Celsius GoDaddy DNS Hijacking
Date Event Description
November 21st, 2020 12:16:09 PM MST Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

No funds were lost.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services – Krebs on Security (Feb 5, 2022)
  2. So about that DNS issue.... : CelsiusNetwork (Feb 5, 2022)
  3. Celsius Network | Earn Crypto, Borrow Cash and Unbank Yourself (Jan 30, 2022)
  4. About Us | Unbank Yourself (Jan 30, 2022)
  5. Is Celsius Network Safe To Put Your Money (Updated Dec'21 on BadgerDAO) (Jan 30, 2022)
  6. Celsius CEO: Here's How We CREATE YIELD (Interest Payments) and WHAT Actually Happened with GoDaddy - YouTube (Jun 29, 2022)
  7. GoDaddy employees tricked into handing over control of cryptocurrency domains - SiliconANGLE (Jun 29, 2022)
  8. If Celsius is this serious with DNS, looking at Cred bankruptcy, what’s happening with our funds? : CelsiusNetwork (Jun 29, 2022)
  9. Phish of GoDaddy Employee Jeopardized Escrow.com, Among Others – Krebs on Security (Aug 23, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Celsius_GoDaddy_DNS_Hijacking&oldid=3893"