Crypto Phishing Wave Intensifies: OpenEden DNS Hijacked by Hackers
Another day, another crypto heist—only this time, the attackers didn't need to crack a wallet. They just redirected the traffic.
OpenEden, a platform known for tokenizing real-world assets, saw its domain name system hijacked in a sophisticated phishing campaign. Users typing the legitimate URL were silently rerouted to malicious clones designed to drain credentials and seed phrases. No smart contract exploits, no bridge vulnerabilities—just old-fashioned DNS poisoning with a Web3 twist.
The Anatomy of a Redirect Attack
Security firms tracking the incident confirm the attackers gained control of OpenEden's DNS records. For hours, anyone visiting the site landed on a perfect replica. The fake site prompted connections to wallets, then siphoned approvals and private keys. By the time the team regained control, an undisclosed number of users had been compromised.
It's a stark reminder that crypto's weakest link isn't always on-chain. Centralized points of failure—like domain registrars and hosting providers—remain prime targets. The industry spends billions securing blockchain protocols, yet a $20 domain renewal lapse can undo it all.
Phishing's Evolution: From Email to Infrastructure
This isn't your grandma's Nigerian prince scam. Modern crypto phishing employs domain spoofing, typosquatting, and now, full DNS takeovers. Attackers mimic official communications, hijack social media accounts, and clone entire front-ends. The playbook keeps expanding because it works.
OpenEden has since restored its domain and is working with authorities. They recommend users verify site certificates, bookmark official URLs, and never click links from unsolicited messages. Standard advice, but in a frenzy for yields, how many actually follow it?
A cynical take? The same finance bros who lecture about 'self-custody' and 'being your own bank' still can't resist clicking the shiny 'Connect Wallet' button on a sketchy domain. Maybe decentralization shouldn't stop at the protocol layer.
A huge blow for key player in the crypto industry
The DNS compromise caused a lot of concern, especially given OpenEden’s role as a major institutional custodian of tokenized real-world assets. The company was founded in 2022 in Singapore and operates as an issuer of tokenized US treasury bills through its flagship TBILL token, which provides investors with direct access to tokenized treasury bills backed by corresponding securities kept in segregated accounts.
The platform grew to become a key player in the crypto space and became the first tokenized RWA issuer to receive A ratings from investment analysts (A from Moody’s and AA+ from S&P Global Ratings) for its Treasury fund.
With such a large industrial footprint (serving professional investors, DAO treasuries, and other firms), the DNS compromise creates risk for DeFi users, but more so for bigger market participants who assume that institutional-grade platforms have enterprise-level security protecting their web access points.
How did the DNS attack happen?
DNS hijacking attacks work by compromising the Internet’s addressing system. The Domain Name System works like the Internet’s phonebook, translating human-readable domain names like “openeden.com” into number-based IP addresses that computers use to route traffic.
As such, when attackers hijack a domain’s records, they can redirect visitors to malicious sites without touching the original platform’s infrastructure.
In OpenEden’s case, users typing “openeden.com” or “portal.openeden.com” into their browsers WOULD be rerouted to attacker-owned servers hosting fake versions of the original platform.
These fake sites would replicate the original interface pixel for pixel, and then prompt users to connect their wallets. After connecting, the malicious site can then request transaction signatures that appear on the website like normal website interactions, but are actually authorizing transfers of tokens to attacker wallets.
Luckily, this attacker operates independently of OpenEden’s smart contracts and reserve custody systems. The platform’s TBILL and USDO tokens remain secure in their respective vaults, and all the reserve assets backing those tokens continue to be verifiable through Chainlink’s Proof of Reserve oracles.
This means that the DNS attack only creates risk for users who visit the hijacked domains and interact with the phishing interface, forcing OpenEden to announce a warning to all users to stop interacting with their website.
Latest in wave of DNS attacks targeting crypto platforms
The OpenEden incident falls into a concerning pattern of DNS hijackings targeted at crypto platforms. In November 2025, Aerodrome Finance (the largest decentralized exchange on Coinbase) was hijacked by attackers, seizing control of the platform’s domain registration to re-route traffic to a fake site.
Aerodrome’s smart contracts remained uncompromised, but the phishing site was able to trick unsuspecting users into signing transaction approvals that drained wallets of ETH, USDC, and various other tokens.
In the same vein, Curve Finance experienced a DNS hijacking in May 2025 when attackers infiltrated the domain registrar “iwantmyname” and tweaked the DNS delegation for the “curve.fi” domain.
Naturally, users were redirected to other sites, but Curve’s team responded by migrating to a secure alternative domain and urging users to access the platform through Ethereum Name Service (ENS) mirrors instead of the traditional DNS.
DNS attacks work well for crypto platforms in particular because users must connect wallets and sign transactions frequently, which creates various opportunities for phishing sites to target.
OpenEden has not disclosed how the attackers gained control of its DNS records or which registrar manages its domains, as the investigation is still ongoing.
However, the platform has not provided a timeline for when safe access to their domains would be restored. In the meantime, users looking to verify reserve holdings can access the Chainlink Proof of Reserve directly for real-time information on assets connected to OpenEden.
Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.
