Hackers Hijack 100 Abandoned DeFi Protocols to Steal Cryptocurrency

Cybercriminals are increasingly hijacking domains of abandoned DeFi protocols to deceive users and steal their cryptocurrency. This was reported by the cybersecurity firm Coinspect.

Hackers are targeting outdated domains of no longer active dapps that continue to be mentioned on well-known platforms such as DeFi Llama and DappRadar, as well as in news articles. After seizing these domains, cybercriminals inject malicious code and alter the website’s content.

“Unlike typical phishing attacks, there’s no need for spam emails or social engineering tactics here. Users may unknowingly land on a malicious site by clicking on links from old videos or through a DeFi aggregator,” the experts noted.

So far, specialists have identified 100 such hijacked domains, with an additional 475 still at risk.

One notable example is the blockchain platform Astar Exchange, which held $3.5 million. The platform ceased operations in February 2024, while its domain name expired in April 2025.

In July, the Astar domain was re-registered, as analysts from Coinspect stated in a comment to DLNews. On the homepage, the hackers posted a phishing message claiming users could withdraw funds from the platform. By clicking on the link in this notice, users ended up losing their cryptocurrency.

A similar situation occurred with projects like ADAO, Andromeada, and Ladex Exchange. Experts do not currently know who is behind these attacks, and it is also difficult to estimate the total amount stolen, as hackers frequently change wallet addresses.

Professionals recommend that projects renew their domain registrations even after shutting down, provide warnings about ceased operations, and notify analytical platforms about these changes.

Users should be aware that, according to Coinspect experts, the current attacks are relatively basic. However, they cautioned:

“If cybercriminals refine their techniques (for instance, by restoring social media accounts of the projects), it will become significantly harder to detect the counterfeit sites.”

As a reminder, experts from CertiK warned in January about the growing threat of phishing attacks.