Curve Finance Frontend Hijacked in Ongoing DNS Attack, Users Urged to Avoid Platform

A DNS hijack targeting Curve Finance’s frontend since May 12, 2025, is serving malicious JavaScript code to steal users’ cryptocurrency, prompting urgent warnings from security experts and the DeFi platform.

Curve Finance, a popular decentralized finance platform, is under attack as hackers hijack its frontend through a DNS exploit, according to a report from Coinspect Security on May 12, 2025.

Also Read

Ethereum Suffers Rare Mass Slashing Event as 39 Validators Penalized for Double-Signing

BitMEX Co-Founder Arthur Hayes Expands ENA Holdings to $3.91M Amid Binance Listing Rally

Kiln Finance Withdraws $693M in Ethereum Following SwissBorg Security Breach

Plugin developed by ProSEOBlogger. Get free gpl themes.

The attack, which began around 21:30 UTC, redirects users to a malicious site hosted on Cloudflare infrastructure, where wallet-draining JavaScript code is deployed.

Curve Finance confirmed the hijack remains active, urging users to avoid the platform until resolved.

Coinspect Security detailed the incident, noting the last legitimate frontend update occurred at 15:00 UTC on May 12, served from a Vercel IP (76.76.21.21). By 21:00 UTC, DNS records shifted to Cloudflare IPs, including 104.21.67.209, and malicious HTML began loading the wallet-draining script.

Also Read

Ethereum Price Navigates Choppy Waters, Analysts Eye Key Levels for a Breakout

Pantera Capital Reveals $1.1B Solana Position as Institutional Treasury Wave Accelerates

XRP Surges Past $188 Billion Market Cap Amid ETF Speculation

Plugin developed by ProSEOBlogger. Get free gpl themes.

The firm identified the malicious JavaScript file with the hash 5a2b17d78d49d04bd8019d0652c3ee60bff3c690a8cece15b45f3dbfe7403a00, advising security tools to block it.

This incident echoes a 2022 attack on Curve Finance, where hackers stole $570,000 through a similar DNS hijack, redirecting users to a cloned site that tricked them into approving malicious contracts, per a Tronweekly report.

Recent Posts

Bitcoin Price Analysis: BTC Rebounds from $80K Low as Mining Difficulty Drops and Altseason Signals Emerge

WazirX Launches Zero-Fee Crypto Trading in India

Bitcoin Price Analysis: BTC Plunges to $95K as Extreme Fear Grips Market – Is Altseason Finally Here?

Plugin developed by ProSEOBlogger. Get free gpl themes.

The recurrence highlights persistent vulnerabilities in DeFi platforms, which rely on external infrastructure like DNS that attackers can exploit. Check Point Research notes that by 2025, crypto drainers—malicious tools targeting cryptocurrency wallets—have evolved, with groups like Inferno Drainer using rapid contract rotation and obfuscation to evade detection.

“We’re monitoring the situation closely and working to resolve the hijack,” Curve Finance said in a statement on X at 23:43 UTC on May 12. The platform’s smart contracts remain unaffected, but users who interact with the frontend risk losing funds. DeFi platforms like Curve Finance manage billions in assets, making them prime targets for cybercriminals.

The attack underscores broader security challenges in the DeFi space, where decentralized systems often rely on centralized points of failure like DNS. As adoption of DeFi grows, experts call for stronger safeguards, such as decentralized domain systems or enhanced user education on phishing risks. For now, users are advised to avoid curve.fi and curve.exchange until the platform confirms the issue is resolved.