Steakhouse Financial Confirms DNS Hijack, Says No User Funds Were Lost
Steakhouse Financial experienced a DNS hijack through social engineering targeting their domain registrar, OVHcloud, which allowed attackers to redirect their website to a phishing page for about four hours. Despite the attack, no user funds were lost as the company's vaults operated independently and no onchain contracts were compromised. The incident highlights vulnerabilities in domain security but also demonstrates effective response measures and the resilience of Steakhouse's fund management.
TLDR: Attackers socially engineered OVHcloud support to remove hardware 2FA, enabling full account access within an hour. The phishing site used an Inferno Drainer kit and ran live for roughly four hours on March 30, 2026. ICANN’s five-day domain transfer lock gave Steakhouse Financial time to cancel an outbound transfer filed by the attacker. Steakhouse vaults on Morpho operated independently throughout; no depositor funds were at risk at any point. A social engineering attack briefly redirected Steakhouse Financial’s website to a phishing page on March 30, 2026. Attackers manipulated the domain registrar’s support team to strip account security protections. The phishing site ran for roughly four hours before the team reclaimed control. No user funds were lost, and no onchain contracts were touched. How Attackers Broke Into Steakhouse Financial’s Domain Registrar The attacker called OVHcloud, the domain registrar used by Steakhouse Financial, and posed as the account owner. They provided enough personal information to pass OVH’s phone-based identity check. An OVH support agent then removed the hardware-based two-factor authentication on the account. Within seconds of logging in, the attacker ran automated scripts. These deleted every second-factor device on the account and enrolled their own. The speed pointed to a pre-planned operation. The attacker then redirected the domain’s nameservers to servers under their control. They pointed the site’s A records to a cloned version of the Steakhouse website hosted on Hostinger. That cloned site carried a wallet drainer linked to Inferno Drainer, a known drainer-as-a-service operation. Let’s Encrypt TLS certificates were obtained within minutes. This made the phishing site appear legitimate to standard browsers. Wallet extensions from Phantom, MetaMask, and Rabby flagged the site as malicious independently and quickly. https://t.co/0VlJ5n0yAM — Steakhouse Financial (@SteakhouseFi) April 10, 2026 Steakhouse Financial Reg...
Comments
Log in to comment