July 25, 2024
June 4, 2025

DNS Nameserver Hijacking Postmortem

dYdX
DNS Nameserver Hijacking PostmortemDNS Nameserver Hijacking Postmortem

Background

In 2023, Squarespace acquired the rights to all domains from the now-defunct Google Domains. All domains were migrated over a period of months. The domain dydx.exchange, owned by dYdX Trading, was migrated from Google Domains to Squarespace on June 15, 2024.

OAuth Weakness

On July 9, while registered with Squarespace, attackers gained access to the dydx.exchange domain, and modified the the DNS Nameservers from Cloudflare to DDoS-Guard. This attack was mitigated by DNSSEC settings that remained set on the registrar. This resulted in would-be-visitors’ browsers failing to authenticate the DNS changes, and correctly blocking users from viewing the page.

dYdX promptly contacted Squarespace customer service during this incident and they restored access to the account quickly according to their account-recovery policies. dYdX ensured that all passwords and 2FA were rotated on Squarespace accounts and that the attacker’s access was fully removed. The attack was completely mitigated and fixed within a couple of hours.

Two days later on July 11, several additional reports of targeted attacks on crypto-specific domains — which had been migrated from Google Domains to Squarespace — were reported. As a result, SEAL, a crypto-focused security team, put together an incident-response team to figure out what was going on, how the attack could be mitigated, and how to get any relevant information to Squarespace itself. At this point, dYdX realized that the earlier incident was likely part of a broader attack against crypto domains, and assisted the investigators. At this time, dYdX also continued to monitor the dydx.exchange domain for any suspicious activity.

On July 14, SEAL published a postmortem on the issue based on their findings, but without much direct information from Squarespace. This postmortem suggested that there were one-or-more technical vulnerabilities in Squarespace that allowed for these attacks to happen.

On July 18, Squarespace posted a longer postmortem which confirmed an exploited security issue with OAuth logins on their site. It included information that the issue was fixed on July 12.

While dYdX decided to change domain registrars, dYdX believed that Squarespace had successfully mitigated the attack and fixed the vulnerability.

Account-Recovery Attack

On July 23, it was discovered that the dydx.exchange domain was compromised. The attacker changed the DNS Nameservers from Cloudflare to DDoS-Guard. The attacker also successfully removed the DNSSEC settings on the domain. dYdX immediately contacted Squarespace customer support. Squarespace was able to return possession of the domain as well as fix the DNS Nameserver resolution within a couple of hours. The recovery process was delayed for over 30 minutes due to maintenance from one of Squarespace’s third-party vendors which prevented changing the DNS Nameservers back to Cloudflare.

The attacker hosted a malicious site which requested that any connected wallets transfer ETH and other ERC20 tokens to the attacker’s Ethereum address. During this time, dYdX also worked with SEAL and other partners to ensure that popular crypto wallets like Metamask and Phantom would block the site for the duration of the attack. To our knowledge at the time of publishing, 2 users were affected with approximately $31,000 in lost funds due to this attack. dYdX trading is in contact with both affected users and is assisting in securing their wallets and is committed to recovering funds.

Upon recovery, it was noted that the new email admin of the domain had somehow been set to the attacker’s email address, ending in outlook.com. All other admin accounts had been removed by the attacker. We noted that the attacker’s email address has a username similar to the legal name of the billing administrator on dYdX’s Squarespace account. This tipped dYdX off to the possibility of a social-engineering attack since the attacker chose specifically to use a human-believable email address.

In communications with Squarespace, it was revealed that the cause of the takeover was due to a human-initiated reset by Squarespace’s customer service, confirming our suspicions of a social-engineering attack. Each of the domain admin accounts were secured with 2FA, however this control was bypassed by Squarespace’s account-recovery process. Before removing 2FA and modifying the account’s email to that of the attacker, Squarespace customer service did not attempt to reach out to any other listed admins on the dydx.exchange domain.

Based on the information provided to us by Squarespace, we don’t believe that the attacker provided customer service with any valid security credentials. The attacker did not have access to any current or previous domain admin email, password, or 2FA.

Securing the Domain

As a result of Squarespace’s OAuth vulnerability, as well as their account-recovery protocols, two separate domain takeovers with different attack vectors were carried out against the dydx.exchange domain.

As a security measure, dYdX moved the domain registration to Cloudflare on July 24. While Squarespace documentation notes that domain transfers may take up to 15 days, we worked directly with Squarespace to accelerate this process and completed the transfer within 6 hours.

For clarity, no security issues with smart contracts, backend systems, or other company-associated accounts were found as a result of either incident. No issues with dYdX Chain were created by either incident.

Legitimacy and Disclaimer

© 2025 dYdX International Ltd. All rights reserved.

dYdX is a decentralised, disintermediated and permissionless protocol, and is not available in the U.S. or to U.S. persons as well as for Restricted Persons as set out in the dYdX Software Terms of Use, accessible: https://dydx.exchange/v4-terms. dYdX International Ltd (“DI”) does not develop, control or participate in the operation of any component of the dYdX Protocol (including the MegaVault).

The information provided in this website is for general informational purposes only and DI reserves the right to update, modify, or amend any contents herein, at its sole discretion and without prior notice.  Nothing herein should be used or considered as legal, financial, tax, or any other advice, nor as an instruction or invitation to act in any way by anyone.

Engaging in any activity involving crypto-assets (including trading crypto assets and depositing into the MegaVault) is risky due to high volatility. Returns are not guaranteed and may fluctuate over time depending on multiple factors, and you may lose your entire investment, particularly when using leverage. Investment into crypto-assets may not be regulated and may not be suitable for retail investors. You should perform your own research and due diligence before engaging in any activity involving crypto-assets.

In no event will DI be liable for any loss or damage, including without limitation, indirect or consequential loss or damage, arising from or in connection with the use of this website. By continuing to access this website, you agree to the above and accept the possibility of changes in the information provided.

Awarded Institutional DeFi Solution of the Year by Hedgeweek

Learn more

1 Leaderboard, 9 Seasons and $20M on the Line in Rewards

Learn more
Resources
Help CenterBlogAcademyMarketsBrandTerms of UsePrivacy Policy
Ecosystem
dYdX LabsdYdX FoundationdYdX Operations subDAOdYdX Grants subDAOAPINew iOS App
Market Pages
API3-USDBERA-USDNIL-USDNC-USDGAS-USD
Learn More
How To Purchase DYDXHow To Start TradingTrading Competition2024 Annual ReportDYDX BuybackExchangeCommunity
© 2025 dYdX International Ltd. All rights reserved.

dYdX is a decentralised, disintermediated and permissionless protocol, and is not available in the U.S. or to U.S. persons as well as for Restricted Persons as set out in the dYdX Software Terms of Use, accessible: https://dydx.exchange/v4-terms. dYdX International Ltd (“DI”) does not develop, control or participate in the operation of any component of the dYdX Protocol (including the MegaVault).

The information provided in this website is for general informational purposes only and DI reserves the right to update, modify, or amend any contents herein, at its sole discretion and without prior notice.  Nothing herein should be used or considered as legal, financial, tax, or any other advice, nor as an instruction or invitation to act in any way by anyone.

Engaging in any activity involving crypto-assets (including trading crypto assets and depositing into the MegaVault) is risky due to high volatility. Returns are not guaranteed and may fluctuate over time depending on multiple factors, and you may lose your entire investment, particularly when using leverage. Investment into crypto-assets may not be regulated and may not be suitable for retail investors. You should perform your own research and due diligence before engaging in any activity involving crypto-assets.

In no event will DI be liable for any loss or damage, including without limitation, indirect or consequential loss or damage, arising from or in connection with the use of this website. By continuing to access this website, you agree to the above and accept the possibility of changes in the information provided.

Leaving site

By clicking ‘Continue’, you will be leaving https://www.dydx.xyz/ and accessing a website made available by a third party using dYdX v4 open-source software that is independent from and unaffiliated with dYdX International Ltd (“DI”). DI does not deploy or run dYdX v4 open-source software for public use, nor does it operate or control any or all parts of the infrastructure. DI is not responsible for any actions taken by independent third parties or for any codes, materials and contents on any third-party websites, including the one you would access by clicking ‘Continue’.

DI’s contents and services are not available to persons who are residents of, are located or incorporated in, or have a registered office in the U.S., Canada or any Restricted Persons as set out in the dYdX v4 open-source software Terms of Use, accessible here.  More details can be found in our Terms of Use. Learn more about dYdX v4 third-party front end options here.

Continue