Cryptocurrency theft through domain names: the Curve Finance case
The attackers managed to attack the Curve Finance project without interfering with its smart contracts.
28.05.2025
527
3 min
0
Throughout the history of cryptocurrencies, many criminal schemes have been devised to steal them. GetBlock AML Research explains how attackers can get hold of your cryptocurrency without interfering with the blockchain and smart contracts.
Precedent
On May 12, 2025, users of Curve Finance, a large decentralized exchange, began to be exposed to a fake copy of the trading platform that was created by attackers to steal cryptocurrency. It turned out that hackers conducted an attack on the Domain Name System (DNS) and took possession of Curve’s domain name (curve.fi).
Curve domain hacking alert
Manipulation of DNS servers resulted in everyone who wanted to open Curve Finance exchange in their browser being redirected to a malicious website. The project has already faced a similar attack in 2022.
How this is possible
The Domain Name System (DNS) works similarly to a phone book. A domain name (e.g., getblock.net) is assigned to the IP address of the server where the website is located. The system is implemented so that users can get to websites on the Internet via a convenient text link, without having to remember the correct IP address.
In the case of the attack on Curve Finance, the hackers were able to bypass the protection of the iwantmyname service, which provides domain name registration and management services. They then simply replaced the IP address assigned to the domain with another one that led to a malicious copy of Curve’s website.
Curve developers criticized the iwantmyname service for its slow response to the hack
The danger of such an attack is that spoofing the original website with a malicious one is difficult to detect. At the time of the attack, the Curve Finance team was unaware that users had lost access to the authentic version of the website. The spoofing occurred at 20:55 UTC and the attack was spotted by the Curve team at 21:20 UTC.
The Curve team confirms that the trading platform infrastructure is unaffected by the attack
How Curve responded
- The project team notified users about the danger through all available communication channels (e.g. Discord and X);
- Curve developers contacted the domain name registrar iwantmyname and requested the removal of the compromised domain;
- After the compromised domain was removed, a new domain name (curve.finance) was registered again.
Notification of users about registration of a new domain name
The peculiarity of the DNS spoofing attack is that the entire project infrastructure remains safe. Curve Finance smart contracts were unaffected, as well as user funds. During the attack period, the trading platform processed $400 million worth of transactions.
Protecting a project from DNS attacks
The situation with Curve Finance shows that many decentralized systems still continue to be dependent on a centralized web2.0 infrastructure. Here are the main ways that can help reduce this dependency:
- Have multiple domain names (mirrors) to make hacking more difficult. Even if one domain name is compromised, users will be able to access the service using other available addresses;
- Use only trusted and reliable companies that provide domain name registration and management services;
- Use alternative domain zones, such as the Ethereum Name Service (ENS), which allows you to register a .eth domain.
Useful material?
Research
One and the same cryptocurrency address received two completely opposite assessments from different analytics systems: from an ordinary gambling service to an extremely severe criminal offense. This story has become the starting point for a broader conversation about what the scientific standards of blockchain analysis should look like — and why errors in systems like these can shape the fates of real people.
Jul 1, 2026
Research
The blockchain has helped uncover the ties between cryptocurrency fundraising campaigns, exchangers in Syria, and intermediaries in several countries around the world. A telltale pattern has emerged in which the same addresses were used across multiple donation drives at once
Jun 24, 2026
Research
Four Iranian cryptocurrency exchanges accounted for roughly 78% of all digital asset volume tied to the country in 2025. They have now become the focal point of the largest U.S. sanctions campaign against Iran's cryptocurrency infrastructure.
Jun 5, 2026
Research
A financial system is already up and running on public blockchains, with loans, analogues of U.S. Treasuries, and automated capital markets. More than $551 billion has flowed through DeFi protocols — but most of that activity has nothing to do with the real economy and everything to do with the speculative build-up of risk.
May 29, 2026
Research
Around 97% of Chinese suppliers of chemicals used to make fentanyl accept payment in cryptocurrency. The volume of such transactions continues to grow alongside the global market for synthetic drugs
May 22, 2026
Research
For the first time, the new law makes blockchain analytics an officially mandatory tool of financial oversight in the United States. Authorities will also gain the power to restrict transactions with foreign crypto services tied to money-laundering risks.
May 20, 2026
Telegram
Twitter