Hackers Exploit 100 Abandoned DeFi Protocols to Steal Cryptocurrency

Cybercriminals are increasingly hijacking domains of abandoned DeFi protocols to deceive users and steal their cryptocurrencies, according to cybersecurity firm Coinspect.

Hackers are taking control of old domains belonging to inactive decentralized applications (dapps), which continue to be referenced on popular platforms like DeFi Llama and DappRadar, as well as in various news articles. Once these domains are seized, the cybercriminals insert malicious code and alter the website’s content.

«Unlike typical phishing attacks, there’s no need for spam emails or social engineering here. Users may find themselves on a malicious site simply by clicking a link in an old video or through a DeFi aggregator,» the experts noted.

Coinspect has identified 100 such domains, with another 475 remaining at risk.

One notable example is the blockchain platform Astar Exchange, which held $3.5 million but ceased operations in February 2024, with its domain name expiring in April 2025. In July, the Astar domain was re-registered, and the analysts shared with DLNews that cybercriminals posted a phishing advertisement on the homepage, urging users to withdraw funds from the platform. Clicking the link led to losses of cryptocurrency for the unsuspecting users.

A similar situation occurred with the projects ADAO, Andromeada, and Ladex Exchange. The identity of those behind these attacks remains unknown, and estimating the total amount stolen poses a challenge as hackers frequently change their wallet addresses.

Experts advise projects to extend their domain registrations even after shutting down, post warnings about ceasing operations, and notify analytical platforms accordingly.

Users should heed this advice:

According to Coinspect experts, current attacks are relatively straightforward. However, they cautioned, «If the attackers enhance their tactics (for instance, by reviving the social media accounts of projects), it will become significantly harder to detect the counterfeit sites.»

As a reminder, in January, specialists from CertiK highlighted the escalating threat of phishing attempts.