Non-fungible token (NFT) companies like Dapper Labs and Yuga Labs were recently seen performing defensive domain registration. While this strategy is only a part of a broader brand protection program, large companies in other industries implement it as well.

WhoisXML API researchers examined how defensive domain registration looks like in the decentralized financial (DeFi) platform market. Did the DeFi companies themselves register the domains, or did other actors play a role? Among our findings are:

• 1,200+ domains added since 1 April 2022 contain the names of 10 of the most popular DeFi companies, namely, AAVE, Decentraland, Dharma, Dydx, Kyber Network, Lucky Block, SushiSwap, Terra, Uniswap, and Yearn.finance
• All of the platforms’ official domain names had redacted WHOIS records, making attribution difficult
• None of the domains shared the same WHOIS characteristics, just the same privacy protection services, nameservers, registrars, and registrant countries
• Dozens of domains have already been flagged for phishing or malware hosting

A sample of the additional artifacts obtained from our analysis is available for download from our website.

32 DeFi Domains Registered Per Day Since 1 April 2022

Since 1 April 2022, we observed more than 1,200 domains that use the names of 10 DeFi platforms, pegging the average daily domain registration at 32 domains.

In some cases, we used the full domain names as search strings to reduce the number of false positives. For instance, we used “terra” and “money” to retrieve domains targeting Terra since “terra” alone yielded almost 4,000 domains, some of which may not necessarily be relevant to this study.

That said, about 33% of the domains we uncovered contained the string “aave,” followed by “terra money,” at 26%, “dharma” at 14%, and “decentraland” at 11%. The chart below shows the distribution of the domains.

The chart includes domain names that look very similar to the companies’ official domains aave[.]com and terra[.]money, such as aave[.]id, aaveu[.]com, aaave[.]co, terrag[.]money, lterra[.]money, and ttterra[.]money. We observed the same theme across the other domains, with most differing from the legitimate ones by only one or two characters.

Who Owns the DeFi Domains?

All 10 DeFi companies used privacy redaction services, according to their WHOIS lookup results, making it challenging to attribute the possibly connected domains publicly. However, based on recurring WHOIS characteristics, such as registrars, nameservers, registrant countries, and privacy redaction service providers, we can only credit one domain each to Aave, Kyber Network, and Uniswap.

The rest of the domains may still have been registered by the companies, but we can’t leave the possibility of malicious actors behind some of them. In fact, 40 domains have already been flagged as malicious as of 9 May 2022.

What Content Do the Domains Host?

One of the malicious domains, aaaave[.]com, continues to host content similar to the official Aave website. Here’s a side-by-side comparison taken from Screenshot API.

Other domains that hosted precisely the same content as the malicious domain include:

• aavee[.]fun
• aaveji[.]com
• app-aave-open[.]xyz
• app-aave[.]pw
• aypaave[.]com

Some domains hosted login pages, which can serve as vehicles for credential theft. Below are two examples.

DeFi platforms and their users have become prime targets of cyber attacks, with two DeFi companies recently losing US$90 million to hackers. Some of the DeFi domains we found can be used in similar malicious campaigns, including phishing, malware-based attacks, and scams.

While defensive domain registration may not be the most scalable and practical cybersecurity practice, domain monitoring and investigation can help DeFi platforms detect threats early.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.