Godaddy Employee being controlled by the hand of an unknown social engineer

Social engineers successfully manipulate GoDaddy employees into attacking several cryptocurrency exchanges

Many staff members at internet hosting giant GoDaddy were targeted by social engineering scams and phishing campaigns, facilitating attacks on multiple cryptocurrency exchanges.

Employees were tricked into changing email and registration records, transferring ownership and control of certain domains to malicious actors. This subsequently leading to attacks on other organisations.

GoDaddy confirmed that the scam led to a “small number” of customer domain names being “modified” in early November.

However, this is not the first time that there has been a data breach at GoDaddy:

“In May of this year, GoDaddy disclosed that 28,000 of its customers’ web hosting accounts were compromised following a security incident in Oct. 2019 that wasn’t discovered until April 2020. This latest campaign appears to have begun on or around Nov. 13, with an attack on cryptocurrency trading platform liquid.com.”


Bryan Krebs – Security Expert & Author, KrebsOnSecurity.com

Starting in mid-November, the scammers arranged it so all email and web traffic intended for the target cryptocurrency exchanges was redirected to domains controlled by themselves. Liquid.com and the NiceHash cryptocurrency trading posts were impacted, and it is suspected that other exchanges may also have been affected. 

“A domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor, this gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage”


Mike Kayamori – CEO, Liquid.com

NiceHash blamed “technical issues” at GoDaddy, but reacted quickly by freezing all wallet activity to prevent any loss of user cryptocurrency. Withdrawals were suspended for 24 hours while an internal audit took place and normal service has since resumed.

Go Daddy stated that they “immediately locked down the accounts involved in this incident” following news of these attacks, and “reverted any changes that took place to accounts, and assisted affected customers with regaining access to their accounts.”

Could everyone in your organisation spot a sophisticated social engineering scam such as this and help prevent a potentially devastating attack?

Find out in our Free Click-Prone® test now.

Recent posts