Web3 infrastructure firm Ankr is known for offering node endpoints, staking services, and other products to proof-of-stake blockchains. On Friday, a hacker forfeited a scam-like pop-up on Polygon and Fantom network by hijacking Ankr’s domain name system (DNS) to steal users’ seed phases. The project soon recovered the human-made errors and stated that no funds were lost due to this incident.
Attack Targeting Gateways to Polygon and Fantom
Soon after independent security research “CIA Officer” first exposed the attack, Polygon CTO Mudit Gupta took it to Twitter again, urging users to use alternative services while things were being fixed. Meanwhile, he identified the leading player responsible for such an incident of infrastructure failure:
We’ll work closely with Ankr to ensure this does not happen again.
We are also working on a more decentralized alternative as a research project and a foundation owned RPC node for more reliability.
— Mudit Gupta (@Mudit__Gupta) July 1, 2022
Only hours after hackers compromised the gateways to Fantom and Polygon, Ankr released a full statement on Twitter, assuring users that the attack had been quickly “neutralized.” In addition, all core services were unaffected, and only two free-to-use public remote procedure call (RPC) interfaces for Fantom and Polygon on an external site were shortly breached, according to the firm.
The exploit began with a trick that targeted Ankr’s centralized entity when the perpetrator reportedly deceived a third-party DNS provider into giving the hacker access to Polygon and Fantom’s domains. Ankr’s web service provider named Gandi was reportedly tricked by the hacker’s fake identity, thus agreeing to change the email address for the domain registrar account.
By this means, users who had accessed the blockchains through Ankr’s endpoints would receive a phishing phase that asked them to urgently reset their seed on PolygonApp. The hackers could steal their funds by having affected users’ seed phases.
Though the full explanation behind such an exploit remains unknown as Ankr still tries to understand what Gandi accepted as proof for this change, it revealed that the compromise may have to do with its domains as “a centralized point of failure.”
3/ Current status:
At this moment, Ankr has fully regained access to our Domain account, and our services are restored. None of Ankr’s systems were affected.
— Ankr (@ankr) July 1, 2022
It’s no longer uncommon that a third-party’s error leads to crypto platforms being compromised. Only days ago, the largest NFT marketplace, OpenSea, reported a data breach, citing an employee of Customer.io, a third-party platform hired by the company, as responsible for such an error.
Due to the leak of data about its customers who thus received suspicious emails, phone calls, and messages from scammers, OpenSea warned its customers to remain vigilant and sent out emails that include anti-phishing practices.