The Silent Threat: Understanding DNS Hijacking and BGP Attacks

Overview

While much of the focus in cryptocurrency security is placed on phishing attacks and smart contract exploits, a more insidious and technically complex threat targets the very fabric of the internet itself: DNS hijacking and BGP attacks.

These are infrastructure-level attacks that allow sophisticated criminals to redirect internet traffic, sending unsuspecting users to malicious websites even when they have typed the correct URL into their browser. For users of cryptocurrency exchanges and online wallets, these attacks represent a silent and almost undetectable threat, capable of bypassing many standard security measures and resulting in the complete loss of funds.

DNS Hijacking: Corrupting the Internet’s Phonebook

The Domain Name System (DNS) is often referred to as the “phonebook of the internet.” It is the system that translates a human-readable domain name (like exchange.com) into a machine-readable IP address (like 192.168.1.1).

A DNS hijacking attack occurs when an attacker gains unauthorized access to a domain’s DNS settings, typically by compromising the account at the domain registrar (the company where the domain name was purchased). Once they have control, the attacker can change the IP address associated with the domain, pointing it to a malicious server that they control.

This server will host a perfect, pixel-for-pixel clone of the real website. When a user then tries to visit exchange.com, their browser is unknowingly directed to the fake site. Any login credentials, passwords, or 2FA codes entered on this site are captured by the attacker.

BGP Hijacking: Rerouting the Internet’s Postal Service

The Border Gateway Protocol (BGP) is the routing protocol of the internet. It is the system that allows the thousands of independent networks (or “autonomous systems”) that make up the internet to share information about which IP addresses they control.

Think of it as the postal service that determines the best route for data to travel from one point to another. A BGP hijacking attack occurs when a malicious actor falsely announces that they control a range of IP addresses that they do not actually own. If other networks believe this false announcement, they will start routing all traffic destined for those IP addresses to the attacker’s network.

This allows the attacker to intercept, monitor, or redirect a massive amount of internet traffic. In the context of a crypto exchange, an attacker could use a BGP hijack to redirect all traffic meant for the real exchange’s servers to their own malicious servers, creating the same outcome as a DNS hijack but on a much larger and more difficult-to-detect scale.

The Dangers and Defense Mechanisms

These attacks are particularly dangerous because they are invisible to the end-user. The URL in the browser bar is correct, and the SSL certificate might even appear to be valid. The user has no indication that they are on a malicious site. Defending against these attacks requires a multi-layered approach.

For Users: Using a hardware wallet for storing funds (not on an exchange) is the ultimate protection, as the private keys never leave the device. For exchange accounts, using a physical security key (like a YubiKey) for 2FA provides a much higher level of security than app-based authenticators.

For Companies: Exchanges and other financial platforms must implement advanced security measures, such as Registry Lock for their domains (which prevents unauthorized changes to DNS settings) and monitoring for BGP anomalies. They must also educate their users about these threats.

The psychological impact of such an attack can be devastating, as it undermines the user’s trust in the very infrastructure of the internet. This sense of foundational insecurity is a major psychological barrier to adoption, a topic that touches on the themes of trust and fear explored in education on Trading Psychology and Risk-Management.

Provider-Report Fields: DNS and BGP Incidents

DNS hijacking attacks target domain registrar accounts and DNS settings. BGP hijacking targets internet routing infrastructure. If you have identified or experienced either type of attack, the following information is relevant for reports to domain registrars, hosting providers, DNS providers, and security teams.

For DNS Hijacking Reports

• Affected domain: the domain whose DNS settings were changed
• Registrar: the registrar where the domain is registered
• DNS provider: the DNS service whose records were modified
• Malicious IP address: the IP address the domain was redirected to
• Malicious server location: hosting provider of the malicious server if known
• Date and time of redirect: when the hijack was first observed
• Screenshot of fake website: documenting the clone site
• SSL certificate details: certificate issuer and validity dates of the certificate on the fake site
• Funds lost: wallet address, transaction hash, amount if a transaction was made to the fake site

For BGP Hijacking Reports

• Affected IP range: the IP addresses or CIDR block that was falsely announced
• Affected ASN: the Autonomous System Number that owns the legitimate IP range
• Malicious ASN: the Autonomous System that made the false announcement if known
• Date and time of anomaly: when the BGP route anomaly was first observed
• BGP monitoring source: the monitoring tool or service that detected the anomaly (BGPmon, RIPE NCC RIS, etc.)
• Evidence of traffic interception: any documented evidence of traffic being redirected

ScammerWatch prepares structured abuse reports for registrars and hosting providers. If you have encountered a DNS hijacking site or have evidence of infrastructure-level attacks targeting crypto platforms, submit a report at scammerwatch.com/report-a-scam
.