Cyber Incident Victim: Bibox

The incident involving Bibox.com occurred within a broader campaign targeting multiple cryptocurrency platforms through compromised GoDaddy domain management accounts between November 13 and November 18, 2020. Attackers socially engineered a limited number of GoDaddy employees, tricking them into transferring control of customer domains. This allowed unauthorized modifications to DNS records, redirecting email and web traffic to attacker-controlled infrastructure. The campaign initially impacted Liquid.com on November 13, where malicious actors gained partial infrastructure access through hijacked email accounts after GoDaddy incorrectly transferred domain control. On November 17-18, NiceHash experienced similar unauthorized DNS changes that briefly redirected traffic, prompting temporary freezing of customer funds while investigating potential compromises to third-party services like Slack and GitHub.

Analysis of DNS record alterations revealed Bibox.com, Celsius.network, and Wirex.app as additional cryptocurrency platforms potentially targeted through identical redirection patterns to Namecheap's PrivateEmail service. GoDaddy confirmed unauthorized changes to a small number of customer domains during routine audits, attributing the breach to employee social engineering rather than technical vulnerabilities. The registrar locked affected accounts, reverted malicious modifications, and assisted customers in regaining access. While NiceHash reported no confirmed data theft due to rapid detection and mitigation, Liquid disclosed partial infrastructure compromise through hijacked email accounts. No operational or financial impact specifics were publicly confirmed for Bibox.com, as the company did not respond to inquiries about the incident. The attack methodology mirrored previous March 2020 GoDaddy compromises involving fraudulent login pages and employee credential harvesting through vishing scams.