Cyber Incident Victim: Liquid
Date:
Nov 2020
Location:
Japan
Summary
A cryptocurrency exchange suffered a security breach when an attacker compromised its domain provider via social engineering, hijacked DNS records, and redirected employee traffic to fraudulent login pages to steal credentials. After accessing internal email accounts and pivoting to the network, the intruder exfiltrated user data including names, addresses, emails, and encrypted passwords, though no funds were taken. The company acknowledged potential theft of identity verification documents submitted by users and advised credential resets, while attributing the incident to the DNS provider’s compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 13, 2020, Liquid, a cryptocurrency exchange ranked among the top 20 globally, suffered a security breach initiated through a social engineering attack targeting its domain name provider. The attacker successfully manipulated the provider into transferring control of Liquid’s domain account, enabling them to hijack the company’s DNS records. This redirection funneled incoming traffic to a server under the hacker’s control, which hosted fraudulent login pages designed to harvest employee email credentials. After compromising these accounts, the attacker pivoted to Liquid’s internal network infrastructure. The intrusion was detected before any customer funds were stolen, but subsequent investigations confirmed the exfiltration of user data from Liquid’s databases, including real names, home addresses, email addresses, and encrypted passwords. Liquid CEO Mike Kayamori acknowledged the possibility that proofs-of-identity submitted during user onboarding might also have been accessed, though this remained under investigation. The company urged all users to reset passwords and two-factor authentication (2FA) credentials as a precautionary measure, emphasizing that password encryption reduced immediate account risks.
The breach followed a pattern of DNS hijacking attacks prevalent in the cryptocurrency sector, as evidenced by historical incidents cited by Liquid. These included the June 2020 compromise of Coincheck, where fake login pages harvested 200 account passwords; the August 2018 MyEtherWallet DNS hijacking that collected private wallet keys; and the January 2018 theft of over $400,000 in Stellar Lumen funds from BlackWallet.com. Other notable cases involved EtherDelta (December 2017), Etherparty ICO (October 2017), and Classic Ether Wallet (July 2017), all exploiting DNS vulnerabilities to redirect users and steal credentials or assets. Liquid’s internal response centered on securing its systems, analyzing the breach scope, and coordinating with its domain provider to restore legitimate DNS configurations. No financial losses were reported, but the exposure of personally identifiable information underscored the operational and reputational impacts of the incident.