Cyber Incident Victim: Wirex
Date:
Nov 2020
Location:
United States of America
Summary
Fraudsters compromised multiple cryptocurrency platforms, including Wirex.app, by socially engineering GoDaddy employees to gain unauthorized control over domain registrations. This allowed attackers to alter DNS records, redirecting email and web traffic to malicious actors who partially compromised infrastructure and accessed internal accounts. The incident involved similar tactics as previous GoDaddy breaches, where voice phishing targeted support staff to transfer domain ownership. While some affected services detected and reverted changes swiftly, preventing data theft, the attackers exploited redirected emails to attempt password resets on third-party platforms. GoDaddy confirmed a limited number of employee accounts were manipulated through social engineering, locking down compromised accounts and assisting customers in restoring access.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The incident involving Wirex.app occurred as part of a broader campaign targeting multiple cryptocurrency platforms through compromised GoDaddy domain management accounts between November 13 and November 18, 2020. Attackers socially engineered GoDaddy employees to gain unauthorized control over customer domains, enabling DNS record alterations that redirected email and web traffic. Liquid.com was the first confirmed victim on November 13, where attackers accessed internal email accounts and partially compromised infrastructure after GoDaddy incorrectly transferred domain control. On November 18 CET, NiceHash detected unauthorized DNS changes at GoDaddy that briefly redirected its email and web traffic to privateemail.com, a Namecheap service. NiceHash immediately mitigated the attack, froze customer funds for 24 hours, and confirmed no sensitive data was accessed, though password resets were advised. Attackers attempted to leverage NiceHash's email access to reset credentials for third-party services like Slack and GitHub.
GoDaddy confirmed a "small number" of customer domains were modified after employees fell for social engineering scams, though the company attributed a concurrent system outage to unrelated technical issues. Forensic analysis by KrebsOnSecurity revealed Wirex.app, Bibox.com, and Celsius.network as additional potential targets based on DNS record changes redirecting email to privateemail.com during the same period. None of these three platforms publicly acknowledged impacts or responded to inquiries. GoDaddy's response included locking compromised accounts, reverting unauthorized changes, and assisting affected customers. This incident mirrored March 2020 attacks where fraudsters used phone-based social engineering to hijack GoDaddy-managed domains like escrow.com, suggesting possible actor overlap. The campaign exploited remote work conditions during the COVID-19 pandemic, aligning with FBI/CISA advisories on sophisticated vishing tactics targeting corporate employees through credential phishing and social media reconnaissance.