Hackers are taking over domains of hundreds of defunct ‘zombie’ DeFi projects in an attempt to deceive users and steal their crypto with wallet-draining code.
That’s according to Coinspect, a crypto security firm, which published its findings in a Wednesday blog post.
“By reusing the project’s original branding and reputation, attackers can trick users into signing malicious transactions,” Coinspect said.
Altered sites
Attackers take over abandoned DeFi protocol domains that remain linked from reputable DeFi data platforms, such as DefiLlama and DappRadar, as well as news sites. Both ventures have deleted the problematic links.
They then insert malicious code and alter the site to encourage visitors to sign onchain transactions designed to drain crypto from their wallets.
“Unlike typical phishing campaigns, Zombie dApp attacks do not need to use unsolicited messages or social engineering to lure victims,” Coinspect said, referring to decentralised apps on a blockchain.
“Users can be funnelled naturally from legitimate and long-standing sources.”
So far, the firm has identified over 100 cases of repurposed web domains designed to steal unsuspecting users’ crypto.
As the DeFi industry grows and more projects launch and shut down, the issue is likely to become more severe.
The report comes as the industry experiences its worst year ever for crypto thefts on the back of the $1.4 billion hack of crypto exchange Bybit in February.
Digital thugs are on pace to steal more from crypto services than ever before this year, said crypto security firm Chainalysis in its 2025 mid-year crypto crime update report.
‘Zombie’ DeFi apps
When developers launch DeFi protocols, they usually pay to register the web domain through which the majority of users access it for a set period of time.
When that period ends and the owners don’t renew it, often because the project has shut down or is defunct, bad actors can swoop in and register the domain themselves.
“Reporting and block‐listing those domains as soon as they went live significantly limited the number of victims,” the spokesperson said.
One example highlighted by Coinspect is Astar Exchange, a DeFi exchange on the Astar Network blockchain, which once held $3.5 million in investor deposits.
The project has been inactive since February last year, and its domain expired on April 25.
In reality, the notice prompted users to sign a transaction that drained crypto from their wallets.
A similar situation occurred at dozens of other defunct DeFi projects, including ADAO, another Astar Network project, Andromeada, a decentralised exchange on Coinbase’s Base network, and Ladex Exchange, a project on the Lachain blockchain.
It’s not yet clear who is behind the attacks.
“Everything we’ve seen points to a lone operator or small team,” the Coinspect spokesperson said.
As part of Coinspect’s investigation, it worked with DefiLlama to delist compromised domains and flag defunct projects at risk of having their domains taken over by bad actors.
So far, the firm has reported 475 dead domains.
Coinspect also urged defunct projects to start taking responsibility for the situation.
To prevent hostile takeovers of their domains, the firm advises projects to pay the small cost to renew them, add shutdown notices to their websites, and let crypto data platforms and security teams know their domains are inactive.
So far, the domain takeover attacks have been fairly simplistic and easy to identify, Coinspect said.
But that could change.
“If future attackers adopt more polished approaches, these scams could become significantly harder to detect and more damaging.”
