In an interesting attack, scammer was able to take over domains by presenting a registrar w/ fake court order. Used same language as a real court order. Scammer then used that control to push dark web market phishing sites, stealing BTC vice.com/en/article/qj8833/d…
Maybe you heard that the domain dark.fail (@DarkDotFail ) got hijacked. Here's the story on how it happened. A thread! (I've pieced together the data I have so I might have some small errors in this thread, FYI.)
Shout out to Dread for still being the most valuable resource around. Thank you to all admins, mods for quickly warning people about Darknetlive and dark.fail's domain takeovers the past four days. Long live Dread!
Follow my Mastodon. mastodon.social/@darkdotfail The attacker locked me out of Twitter and Reddit but was unable to get past 2FA. I was able to continue tweeting with Buffer but did not want to announce this vector to the attacker. I was unable to remove dark[.]fail from my profile.
Namecheap is still allowing a phishing site to be hosted on my hijacked domain "dark[.]fail". They will not remove the nameservers. This negligence is costing people hundreds of thousands per day. Ticket PVZ-490-11596 do the right thing. @Namecheap
ALERT: "dark[.]fail" is still hijacked by a phisher. Each link appears to be a real site, but MITM proxies your browsing, allowing the attacker to steal your cryptocurrency and passwords. I estimate people are losing least 250k Euro per day. Only trust my .onion, PGP verify.
Njalla and Namecheap are working to get my domain back. There's no indication that Njalla was compromised. Thank you for friendly service @njal_la please publish an incident report after. Your users should be informed of this attack vector since you are a reseller.
Njalla: "From what we can see, the domain has been transferred by the registrar to another account at the registrar, and then to Namecheap. We've asked the registrar in question (Tucows) to explain what has happened but have not yet gotten any information back." @Tucows
Signed statement from Darknetlive regarding their domain hijack. "domain recovery seems unlikely. It is still unclear how this party obtained access to the njalla account" Help us out @njal_laraw.githubusercontent.com/Da…
Onion[.]live's domain was also hijacked and is serving MITM phishing links which steal cryptocurrency. Researchers: let's log the phisher's cryptocurrency addresses (very carefully) while this very coordinated attack is ongoing.
My domain dark[.]fail was hijacked 12hr ago. I am not in control of it. DarknetLive's domain was also stolen.
We are not the same person. Our registrar Njalla is the common denominator between both attacks. My 2FA was on. I received no emails from Njalla. Something is broken.
Shout out to @Cloudflare's "Certificate Transparency Notification" alert that notified me that my domain was stolen today due to a new cert being issued. Now the long process of trying to get dark[.]fail back, while tens of thousands of people are getting phished. Help @Namecheap