Cyber Incident Victim: Namecheap
Date:
Feb 2023
Location:
United States of America
Summary
A domain registrar experienced a breach of its email system via a compromised third-party provider, SendGrid, leading to phishing campaigns impersonating MetaMask and DHL. Attackers sent fraudulent emails directing recipients to malicious sites that solicited cryptocurrency wallet recovery phrases or personal information, aiming to steal funds and sensitive data. The company denied internal system compromise, attributing the incident to an upstream provider, and temporarily suspended all email services including security notifications while investigating. The email service provider contradicted claims of its platform being directly breached, creating uncertainty over the attack's origin despite evidence of unauthorized mailings from the registrar’s account. Services were restored after several hours of disruption.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 12, 2023, domain registrar Namecheap experienced a breach involving its email infrastructure, leading to a widespread phishing campaign. Starting around 4:30 PM ET, threat actors leveraged Namecheap’s SendGrid account—a third-party email platform the company historically used for communications such as renewal notices—to send fraudulent emails impersonating DHL and MetaMask. The DHL-themed emails claimed recipients owed delivery fees, directing them to phishing sites targeting personal information. The MetaMask-themed emails falsely warned users their cryptocurrency wallets faced suspension unless they completed “KYC verification” via a link leading to a spoofed MetaMask page designed to steal private keys or recovery phrases. Recipients shared examples on social media, including Twitter, where Namecheap CEO Richard Kirkendall acknowledged the compromise. The attack continued for several hours, affecting an unspecified number of recipients. Mail headers confirmed SendGrid as the source, and Namecheap cited a possible connection to a December 2023 CloudSek report detailing exposed API keys for SendGrid, Mailgun, and MailChimp in mobile apps.
Namecheap responded by disabling all email services via SendGrid, halting legitimate notifications including two-factor authentication codes, password resets, and device verifications. The company issued a statement asserting its internal systems were not breached, attributing the incident to an unnamed “upstream system” provider. Kirkendall’s Twitter posts identified SendGrid as the third-party system involved. Twilio SendGrid disputed claims of a platform compromise, stating its investigation found no breach of its infrastructure and emphasizing anti-abuse protocols while declining further details. Namecheap restored email functionality by 7:08 PM EST the same day after coordinating with its provider. The incident raised concerns about the security of third-party email platforms and indirect supply-chain risks, though neither company confirmed the exact attack vector or scope of data exposure. Users reported receiving DKIM-signed phishing emails bearing Namecheap’s domain, suggesting potential reputational impacts despite the registrar’s denial of direct system intrusion.