A New Threat Emerges in the DeFi Space
The DeFi ecosystem is facing a new and evolving cybersecurity threat. Hackers are now taking over abandoned DeFi project domains, tricking unsuspecting users into handing over their cryptocurrency. According to a recent report by cybersecurity firm Coinspect, at least 100 DeFi domains have already been hijacked in this fashion, with 475 more at risk.
This wave of attacks differs from traditional phishing. Rather than luring victims through spam emails or social engineering, these attackers rely on outdated links from DeFi aggregators, YouTube videos, or past news articles. Users who click on these outdated sources may unknowingly land on malicious websites set up by cybercriminals.
How the Attack Works
When a DeFi protocol shuts down, its domain name may expire if not renewed. Hackers monitor these expirations and swiftly re-register the domains. Once in control, they inject malicious code into the sites, often mimicking the original design.
One such case involves Astar Exchange, a blockchain platform that previously held $3.5 million in assets. The platform ceased operations in early 2024, and its domain expired in April 2025. In July, attackers reclaimed the domain and replaced the homepage with a fake withdrawal prompt, effectively stealing users’ funds.
Coinspect also identified similar attacks targeting ADAO, Andromeada, and Ladex Exchange. In many cases, users were simply following legitimate-looking links that had once led to real services — a dangerous new frontier in crypto scams.
Why This MattersThis kind of attack exposes a major weakness in the decentralized finance world. As projects shut down, many teams fail to maintain control of their digital assets — especially domain names. Meanwhile, trusted platforms like DappRadar and DeFi Llama may still reference these inactive projects, inadvertently sending traffic to compromised sites.
Because no phishing email is involved, users have a false sense of security. They believe they’re visiting a legitimate platform, making them more likely to interact and even approve wallet transactions, unknowingly sending funds to hackers.
Protecting Users and the Ecosystem
To mitigate this threat, security experts advise DeFi project teams to renew their domains, even after a project has ended. Adding a clear warning on the homepage that the platform is no longer active can also prevent misuse. Additionally, informing analytics and aggregation platforms about project closures can help remove or flag outdated listings.
For users, the best practices include:
- Verifying URLs before engaging with any platform;
- Avoiding transactions on sites with unclear ownership or recent re-registrations;
- Using crypto wallets with anti-phishing protections that block suspicious domains.
Coinspect warns that these attacks are currently relatively simple, but there’s potential for escalation. Should attackers begin reviving old social media channels or mimic team members, even seasoned users may find it harder to spot fakes.
Conclusion
The hijacking of abandoned DeFi domains is a growing cybersecurity concern that threatens to undermine trust in the DeFi ecosystem. As hackers become more strategic and subtle in their methods, both developers and users must remain vigilant. Proactive domain management, timely communication, and user education are key to closing this dangerous loophole before it causes broader harm to the DeFi community.
