DNS Hijacking is a type of cyberattack where adversaries gain unauthorized access to DNS records and modify them to redirect users from legitimate domains to attacker-controlled servers. In the context of DeFi and Web3, this attack is particularly devastating because users who type the correct URL into their browser are silently redirected to phishing sites that look identical to the real protocol interface. When users connect their wallets and sign transactions on these fake sites, they unknowingly approve token drains, unlimited approvals, or other malicious operations.

How DNS Hijacking Works

DNS (Domain Name System) translates human-readable domain names like app.example.com into IP addresses that computers use to locate servers. When an attacker compromises DNS records, they change the IP address associated with a domain so that it points to a server they control instead of the legitimate one.

Attackers typically gain access through one of several vectors:

• Registrar account compromise — Gaining access to the domain registrar account (e.g., GoDaddy, Namecheap, Squarespace) through credential theft, password spraying, or social engineering. Once inside, they modify DNS A records or nameserver settings.
• Insider threats — Exploiting access held by employees at DNS providers or registrars, as seen in the Aerodrome Finance incident where an insider threat at NameSilo enabled the attack.
• Registrar platform vulnerabilities — Exploiting security weaknesses in the registrar platform itself, such as missing two-factor authentication enforcement during account migrations.

Notable DeFi Incidents

The Aerodrome Finance DNS hijack of November 2025 redirected users from the protocol's .box and .finance domains to a malicious clone. Over $1 million was drained within an hour as users unknowingly signed unlimited approval requests. Curve Finance experienced similar DNS redirections twice in 2024-2025, and the Squarespace domain hijacking campaign of July 2024 compromised dozens of Web3 projects including Compound and Celer Network.

Prevention and Mitigation

Defending against DNS hijacking requires a multi-layered approach. DNSSEC (DNS Security Extensions) cryptographically signs DNS records, preventing unauthorized modifications from being accepted by resolvers. Registrar security hardening includes enforcing MFA on all registrar accounts, using registrar lock features, and auditing registrar security posture quarterly.

Decentralized naming alternatives like ENS (Ethereum Name Service) provide censorship-resistant, tamper-proof domain resolution that doesn't depend on traditional DNS infrastructure. Protocols should register ENS domains as backup mirrors that users can fall back on if traditional DNS is compromised.

Monitoring and alerting systems should track DNS record changes in real-time and notify security teams of any unauthorized modifications, enabling rapid incident response before significant funds are lost.