Sep 24: Incident - attempted domain account takeover

On September 24, ether.fi experienced a security incident involving their domain registrar, Gandi.net.

Summary of the incident:

• The team received a recovery notification from Gandi via email at 16:38 UTC

• Upon verifying SPF, DKIM and DMARC authentication records for the email, it was established an attacker attempted to use the legitimate Gandi recovery flow to gain access to etherfi’s Gandi account

• Gandi was contacted on multiple platforms. At approximately 19:30 UTC it was confirmed that ether.fi’s account had been successfully locked to prevent further tampering and the nameserver config restored. There is a comprehensive analysis of external and internal systems in progress, and as of now there are no traces of an internal breach observed.

Prevention steps taken:

• In weeks prior, there was an increase in exploitation of similar attack vectors observed with other protocols. We preemptively upgraded our key platforms to require hardware authentication as an authentication method

• Gandi’s monitoring systems and process, while aggressive, locked down the domain account and prevented any access to our systems, and kept our websites, apps and emails safe from the attempted attack

More details of the incident will be shared as they become available in collaboration with Gandi's team over the next two days. Thank you to the Seal911 team, Doppel, Ethena and Distrust our security partner - teams that instantly responded and provided assistance as we navigated the dangerous waters today.

We’re glad to report that all funds are safe, and no opportunity was given to the attackers to present a compromised dapp on any ether.fi related domain.