Hey crypto companies: you NEED to use Registry Lock

Registry Lock would have likely prevented two recent crypto attacks.

Companies that deal with cryptocurrencies are effectively financial institutions, and they need to take extra precautions to prevent domain hijacking.

Last week, SpiritSwap said that a hacker had “managed to exploit GoDaddy, essentially they have hijacked our domain and copied our codebase” to trick users into sending swaps to a different wallet.

As Molly White of Web 3 is Going Just Great notes, this is likely a case of stolen credentials, not an exploit of GoDaddy. Ditto for an attack the week before involving a MM .finance, a domain at Namecheap.

If a nameserver change or domain theft could directly impact financial transactions, then the companies running these businesses should use Registry Lock. Registry Lock is a service offered by domain name registries through the registrars. Most Registry Lock products prevent people from transferring a domain or changing its nameservers without going through a multi-step process that involves both the registrar and registry.

In the case of Registry Lock on .com domains, which are operated by Verisign, a domain owner who wants to change their nameservers would first contact their registrar. This would trigger a process in which the registry manually verifies the request.

Not all registries offer Registry Lock, and not all registrars offer it even when the Registry does. Donuts, which runs .finance, does not offer it. I would expect it to offer it in the future because Afilias, which Donuts acquired in 2020, offered it.

When I last checked two years ago, GoDaddy didn’t offer Registry Lock, but it does offer TLD-agnostic services that could help prevent theft or hijacking.