Cyber Incident Victim: domain.me
Date:
Jan 2014
Location:
Montenegro
Summary
Hackers from the Pakistani group TeaM MaDLeeTs breached the systems of Montenegro's domain registrar domain.me, hijacking approximately 3,500 domains and redirecting them to defacement pages. The impacted domains, including the registrar's own nic.me and domain.me, were later restored by the organization, though attackers preserved mirrors of the defacements and claimed the hijacked domains resided on the compromised server. The registrar did not publicly comment on the incident despite the widespread disruption to .me domain services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 13, 2014, the Pakistani hacker group TeaM MaDLeeTs breached the systems of Domain.ME, the Montenegro-based registrar responsible for managing .me top-level domain registrations. The attackers hijacked approximately 3,500 domains hosted on the compromised infrastructure, redirecting them to defacement pages under their control. Among the affected domains were critical infrastructure assets nic.me and domain.me, the registrar's own primary domains. The hijacking operation involved modifying domain records to point visitors to servers hosting the defacement content rather than legitimate websites. At the time of initial reporting, Domain.ME had restored control over the impacted domains, though the attackers preserved evidence of their actions through publicly available mirror copies of the defacements. The hackers claimed the targeted domains were all parked on a single server they compromised during the breach. No technical details regarding the initial attack vector or duration of unauthorized access were disclosed in available reports. Domain.ME did not release an official statement acknowledging the incident or explaining their restoration process when the article was published.
The incident disrupted normal operations for thousands of .me domain holders, temporarily replacing legitimate web content with unauthorized defacement pages. TeaM MaDLeeTs' actions highlighted vulnerabilities in the registrar's infrastructure, particularly the concentration of parked domains on a single compromised server. The popularity of .me domains amplified the incident's visibility, though the article did not specify whether commercial services or government entities suffered operational impacts beyond the temporary redirection. Domain.ME's restoration efforts occurred without public explanation of containment measures or forensic findings. The absence of an official registrar statement left unresolved questions regarding breach methodology, data exposure risks, and potential collateral damage to third-party services relying on .me domains. Attack mirrors preserved by the hackers ensured continued public access to defacement content despite domain restoration, extending the incident's visibility beyond the initial compromise window.