- Scammers are purchasing the websites of abandoned DeFi projects to steal funds
- The scammers are attaching wallet drainers to the websites to nab former users seeking to withdraw funds
- The tactic has a higher chance of nabbing users since the domain is in the scammers’ hands
Malicious actors are now purchasing websites of abandoned DeFi projects and attaching wallet drainers to the interface to nab former users. The threat actors are interested in former users returning to a dead DeFi project to withdraw forgotten funds. Scammers are likely to capture more victims because the targeted projects aren’t active to warn their users, and the domain is fully controlled by the malicious actors, making it an uncommon but highly potent scamming tactic.
Beware of Old Abandoned DeFi Projects
The attack vector was first reported by pseudonymous DeFiLlama founder 0xngmi, who warned users of “old abandoned DeFi” projects to be cautious when returning to the project to withdraw funds they “put there and forgot about.”
I’ve noticed that scammers have started buying old abandoned defi domains to replace the frontend with drainers
so if you’re going to some dead defi project to withdraw some money you put there and forgot about, be careful about that
— 0xngmi (@0xngmi) April 15, 2025
The tactic works even on cautious crypto users since a legitimate, bookmarked URL can lead to a compromised website “if the domain changed hands quietly.” Some crypto community members observed that the deserted domains “often look legit […] and even savvy users can fall victim.”
Because Abandoned domains often look legit (at first glance), and without checking the contract address (or site authenticity), even savvy users can fall victim.
— Stanimir Uzunov (@stan1m1r) April 15, 2025
Abandoned Domains Retailing for a Penny?
Old DeFi and web3 websites are already listed at a throwaway price. Sakura subDAO’s domain, for example, is listed on GoDaddy for a penny, putting it within the reach of malicious actors. The community also revealed that scammers are purchasing domains of abandoned NFT projects.
Remember the Sakura subDAO announced in late 2023? It was a front end to allow users to deposit into the DAI Savings Rate Module.
Apparently you can get the official Sakura domain name for a penny on GoDaddy https://t.co/3BJdMYSvtp pic.twitter.com/IsyMKJ3OPI
— PaperImperium (@ImperiumPaper) April 15, 2025
This strategy appears to be an evolution of existing schemes that involve attaching wallet drainers to spoofed websites. Malicious actors also hack the social media accounts of prominent public figures, such as politicians and celebrities, to drain the wallets of unsuspecting victims.
With the old abandoned domains retailing for a penny, scammers will likely concentrate on purchasing websites of leading DeFi and web3 projects that have since been abandoned.
