Full Report
A large amount of crypto companies had their domains stolen. The only similarity between the domains was that they were all SquareSpace domains that were migrated over from Google Domains after the merger. This article is explains the incident response that was done. When migrating the ownership of a domain, the domain owner or any collaborator would be granted the domain manager permission on SquareSpace. Since most Google Domains users were not mapped to SquareSpace, they did a pre-emptive mapping from the Google email to the SquareSpace. Once they logged in, they had access to the domain. SquareSpace has many login options, such as continue with Google, Facebook and regular logins. Since this was coming from Google, the developers likely assumed that all of the domains would be owned by gmail accounts. SquareSpace has many login options, such as continue with Google, Facebook and regular logins. Since this was coming from Google, the developers likely assumed that all of the domains would be owned by gmail accounts. The threat actor had stolen a lot of domains and had planted plenty of backdoors to the system for when they got caught. SEAL coordinated the recovery of lots of domains and helped mitigate these backdoor techniques. The author of the post has a few notes for security teams... First, defense in depth matters. Yukikey 2FA and monitoring with alarms are great things to have. Second, re-evaluate the attack surface of your system when external things change. Third, minimize special cases in your system; the assumptions you made before in security can break with a small change like this one. Emails need to be validated. That's a really stupid thing that would have prevented all of this. Overall, a great post into a really big deal for the industry with some great lessons along the way.
Analysis Summary
# Incident Report: Multi-Entity Domain Hijacking via Squarespace/Google Migration
## Executive Summary
A large-scale domain hijacking campaign targeted numerous cryptocurrency companies following the migration of assets from Google Domains to Squarespace. Threat actors exploited a flaw in Squarespace’s account mapping logic to seize control of domain management permissions. The incident resulted in widespread domain theft, the placement of persistent backdoors, and significant operational disruption across the decentralized finance (DeFi) sector.
## Incident Details
- **Discovery Date:** July 2024 (Approximate)
- **Incident Date:** Post-migration period following the Google Domains/Squarespace acquisition
- **Affected Organization:** Multiple Cryptocurrency and DeFi firms (e.g., Celer, Compound, etc.)
- **Sector:** Cryptocurrency / Financial Technology
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Commenced during the automatic migration of Google Domains to Squarespace.
- **Vector:** Exploitation of a pre-emptive account mapping flaw.
- **Details:** To facilitate the migration, Squarespace pre-mapped Google Domain owners/collaborators to Squarespace accounts. However, the system failed to strictly validate that the login method matched the original security posture (e.g., allowing OAuth or alternative login methods without proper email verification), allowing attackers to claim "unclaimed" migrated accounts.
### Lateral Movement
- **Details:** Attackers did not move laterally through internal networks but rather moved "horizontally" across the Squarespace platform, seizing control of any domain that had been migrated from Google but not yet "claimed" or secured by the legitimate owner on the new platform.
### Data Exfiltration/Impact
- **Details:** Assets stolen were the domains themselves. Attackers updated DNS records to point to malicious infrastructure, likely for phishing or draining crypto wallets.
### Detection & Response
- **Details:** Incident was detected as multiple crypto firms reported unauthorized DNS changes. The SEAL (Security Alliance) team coordinated a massive recovery effort, identifying backdoor accounts and reclaiming domain ownership for affected parties.
## Attack Methodology
- **Initial Access:** Exploitation of flawed account provisioning/mapping logic during a third-party service merger.
- **Persistence:** Implementation of multiple "backdoor" collaborator accounts within the Squarespace domain management console to maintain access after initial password resets.
- **Privilege Escalation:** Legitimate "Domain Manager" permissions were automatically granted to the attacker-controlled accounts upon login.
- **Defense Evasion:** Use of legitimate administrative features within Squarespace to hide malicious changes.
- **Credential Access:** Bypassing traditional credential requirements by exploiting "Continue with Google/Facebook" login assumptions.
- **Impact:** Unauthorized DNS modification leading to full domain hijacking.
## Impact Assessment
- **Financial:** Potentially millions in diverted crypto assets (indirectly via phishing/DNS poisoning).
- **Data Breach:** Compromise of domain administrative metadata and DNS configurations.
- **Operational:** Significant disruption as firms lost control of their primary web interfaces.
- **Reputational:** High; loss of user trust in the security of affected DeFi protocols.
## Indicators of Compromise
- **Behavioral indicators:**
- Unauthorized additions of new "Collaborator" or "Manager" roles in Squarespace.
- Unexpected DNS record updates (A, MX, or CNAME records).
- Logins from unrecognized OAuth providers for administrative emails.
## Response Actions
- **Containment:** Coordination with Squarespace to freeze affected accounts.
- **Eradication:** Extensive audit of "Collaborator" lists to remove threat actor backdoors.
- **Recovery:** Restoration of original DNS settings and enforcement of Hardware Security Keys (YubiKeys) for all administrative accounts.
## Lessons Learned
- **Third-Party Risk:** External changes (mergers/migrations) can fundamentally alter your attack surface without your direct involvement.
- **Assumption Flaws:** Developers assumed all migrated Google users would be verified Gmail users, failing to account for how Squarespace's multi-auth system would interact with unverified accounts.
- **Email Validation:** A lack of strict email verification during the account "claiming" process was a primary failure point.
## Recommendations
- **Defense in Depth:** Implement hardware-based 2FA (e.g., YubiKey) for all domain and infrastructure management.
- **Monitoring:** Implement automated alerts for any changes to DNS records or registrar-level account permissions.
- **Attack Surface Management:** Proactively re-evaluate security settings whenever a vendor changes their underlying platform (e.g., the Google to Squarespace move).
- **Input/Identity Validation:** Ensure all email-linked accounts undergo a fresh verification process during platform migrations.