This message was prepared by Waves Team member Inal Cardanov and published on the official forum. We duplicate the original English version, as well as a free translation into Russian for the Russian-speaking part of the community.
Domain name wavesplatform.com (without subdomains) within ~4 hours was resolving to the wrong server.
The attacker sent fake documents to the support of the domain registrar. The registrar without full verification of the documents allowed to reset the password and change an email. Documents were absolutely irrelevant, but registrar didn’t care about it.
There were no technical problems. Social engineering methods were used.
Our client has come out of beta on the same day and changed the domain from beta.wavesplatform.com to client.wavesplatform.com, but it had nothing to do with the described incident. It was an accidental coincidence. Important note about migration: users account data automatically moved to the new domain, there was no need to re-enter the seed phrase on the new domain.
Our site reliability engineer (SRE) got an alert from monitoring system about the outage at 5:50 pm (UTC). At that time he got only DNS error if tried to open wavesplatform.com. He checked Cloudflare and found, that DNS records were changed. At 6:20 pm he was still getting an error when trying to open a website or https://client.wavesplatform.com. Mobile and desktop applications didn’t work too.
We tried to contact the domain registrar. While we were trying to do that, we realized that http://wavesplatform.com opens client (mobile and desktop apps still did not work). httpS://wavesplatform.com was showing an error message because SSL certificate was for another domain. We had enabled HSTS (with 30 days max-age), but new users could open the site using HTTP.
Right after that, we started to warn our users in twitter, telegram, discord and all other channels not to enter seed phrase on our website.
After not too long proceedings with the registrar, we decided to make a redirect from wavesplatform.com to the lite client (it has different domain waveswallet.io on the different registrar, with separate source codes). It took some time to double check our main client source codes.
After we were convinced that there are no threats for users, we rolled back all changes in DNS records. At 9:50 pm Google DNS (126.96.36.199) started to resolve domains to the right servers.
At 10:29 pm Alexander Ivanov announced, that everything is back online.
We also reviewed the source codes of the malicious client.
We removed the message on Twitter to avoid panic, as we quickly returned the accesses and realized that the user data could not be compromised due to described above problems with SSL and irrelevant domain name.
Metamask plugin has github repository with the list of phishing sites. When the user opens any page, the plugin tries to find the domain in blacklist, and redirects user to page https://metamask.io/phishing.html if necessary. They added wavesplatform to the blacklist at 8:28 pm. At 10:22 pm they accepted our pull request to delete our domain from the blacklist. Thanks to the metamask team for their quick response.
We do not require to enter your seed on a website, it is required for client (wallet) only. If you do not want to use web version, there are desktop and mobile applications.
Some users found in our twitter strange replies with just user mentions. Twitter account was not compromised. There was a bug in the customer support application (omnideskRU) with access to our twitter account. It was an accidental coincidence.
Unfortunately, it is really hard to fully protect from DNS hijacking. This incident allowed us to think about the necessity of decentralized, fast and secure DNS.
We thank everyone for your support through this incident, though short it was.