Ether.fi, a decentralized finance (DeFi) staking protocol, has reported that no user funds were compromised during the recent domain takeover attack.
On Sept. 24, the DeFi protocol faced an attempted domain account takeover involving their domain registrar, Gandi.net, but was stopped before significant harm could occur.
The Ether.fi internal team confirmed that attackers could not present a malicious decentralized application (DApp) on any Ether.fi-related domain.
Related: Ether.fi launching ‘crypto-native’ credit card on ZK-rollup Scroll
Ether.fi responds to attack
The breach began on Sept. 24 when the DeFi protocol received a recovery notification email from Gandi.net at 4:38 pm UTC.
After verification through the protocol’s security measures, including “SPF, DKIM, and DMARC authentication records,” it was discovered that the attacker was behind the email.
According to an official Ether.fi summary Gitbook post, “it was established an attacker attempted to use the legitimate Gandi recovery flow to gain access to etherfi’s Gandi account.”
Ether.fi immediately contacted Gandi across multiple platforms, and by 7:30 pm UTC, the DeFi staking protocol had confirmed that its account had been locked down to prevent further tampering.
Related: Restaking is ‘inevitable,’ but the risks are still uncertain — Ether.fi CEO
Security measures
The DeFi protocol implemented security upgrades before the attempted attack, which acted as a buffer to mitigate the threat of the domain takeover attempt.
According to the official Gitbook post weeks prior, Ether.fi noticed an increase in the exploitation of similar attack vectors across other platforms.
As a precaution, the protocol upgrades its key platforms to require hardware authentication for account recovery and management procedures.
Ether.fi credited its security partners, including Seal911, Doppel, Ethena, and Distrust, for immediate assistance during the attack.
Related: Omni Network seals $600M deal with Ether.Fi
Follow-up communication and fund safety
On Sept. 24 at 07:13 pm UTC, Ether.fi communicated to its users via social media platform X that they should not “click on any links” or interact with their domain.
The DeFi protocol noted that official communications would come solely through X or Discord and explicitly stated that no communication would come through email.
After resolving the incident, the team stated that “all funds are safe” and that the attackers had “no opportunity” to issue any malicious DApps “on any ether.fi related domain.”
Magazine: Lady of Crypto will be ‘all out of crypto’ by September 2025: X Hall of Flame