Cyber Incident Victim: NiceHash
Date:
Nov 2020
Location:
United States of America
Summary
A social engineering attack compromised GoDaddy employees, enabling unauthorized modifications to domain settings for cryptocurrency exchanges. Attackers altered DNS records to redirect web and email traffic, impacting platforms including NiceHash and Liquid.com. Liquid's infrastructure was partially breached, potentially exposing user emails, personal details, and encrypted passwords, though customer funds remained secure. NiceHash confirmed unauthorized domain changes but found no evidence of user data compromise. Both organizations regained control post-incident, with GoDaddy reverting unauthorized changes and assisting affected customers. The incident highlighted risks stemming from third-party provider vulnerabilities exploited through targeted employee deception.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid-November 2020, attackers targeted GoDaddy employees through social engineering and phishing tactics, compromising the domain registrar's internal processes to facilitate unauthorized modifications of customer domain records. This campaign impacted multiple cryptocurrency exchanges, with Liquid.com experiencing a security incident on November 13 when fraudsters manipulated GoDaddy into transferring control of an account tied to the company's core domain names. The attackers altered DNS records to redirect email and web traffic, enabling them to seize control of Liquid's internal email accounts. Over subsequent days, the perpetrators partially compromised Liquid's infrastructure and accessed document storage containing user data including emails, names, addresses, and encrypted passwords. Liquid contained the breach after detection and confirmed client funds remained secure. Around the same period, NiceHash reported similar "technical issues" at GoDaddy that led to unauthorized DNS record changes for nicehash.com, though the company found no evidence of user information exposure. Both incidents stemmed from the same wave of attacks exploiting GoDaddy's compromised customer support channels.
GoDaddy responded by immediately locking affected accounts, reverting unauthorized modifications, and assisting customers with account recovery. Liquid CEO Mike Kayamori publicly disclosed the infrastructure compromise through a blog post, while NiceHash advised users to exercise caution regarding suspicious emails and links purporting to originate from their platform. Although NiceHash stated no confirmed data breach occurred, they recommended password changes and two-factor authentication enablement as precautionary measures. The registrar acknowledged a "small number" of customer domains were altered during the attack wave, marking the second security incident disclosed by GoDaddy in 2020 following a May breach involving unauthorized SSH access to hosting infrastructure. The coordinated campaign demonstrated how social engineering against domain registry providers could enable secondary compromises of cryptocurrency exchange operations through DNS manipulation and email system takeovers.