A DNS hijack targeting Curve Finance’s frontend since May 12, 2025, is serving malicious JavaScript code to steal users’ cryptocurrency, prompting urgent warnings from security experts and the DeFi platform.

Curve Finance, a popular decentralized finance platform, is under attack as hackers hijack its frontend through a DNS exploit, according to a report from Coinspect Security on May 12, 2025.

The attack, which began around 21:30 UTC, redirects users to a malicious site hosted on Cloudflare infrastructure, where wallet-draining JavaScript code is deployed.

Curve Finance confirmed the hijack remains active, urging users to avoid the platform until resolved.

Coinspect Security detailed the incident, noting the last legitimate frontend update occurred at 15:00 UTC on May 12, served from a Vercel IP (76.76.21.21). By 21:00 UTC, DNS records shifted to Cloudflare IPs, including 104.21.67.209, and malicious HTML began loading the wallet-draining script.

The firm identified the malicious JavaScript file with the hash 5a2b17d78d49d04bd8019d0652c3ee60bff3c690a8cece15b45f3dbfe7403a00, advising security tools to block it.

This incident echoes a 2022 attack on Curve Finance, where hackers stole $570,000 through a similar DNS hijack, redirecting users to a cloned site that tricked them into approving malicious contracts, per a Tronweekly report.

The recurrence highlights persistent vulnerabilities in DeFi platforms, which rely on external infrastructure like DNS that attackers can exploit. Check Point Research notes that by 2025, crypto drainers—malicious tools targeting cryptocurrency wallets—have evolved, with groups like Inferno Drainer using rapid contract rotation and obfuscation to evade detection.

“We’re monitoring the situation closely and working to resolve the hijack,” Curve Finance said in a statement on X at 23:43 UTC on May 12. The platform’s smart contracts remain unaffected, but users who interact with the frontend risk losing funds. DeFi platforms like Curve Finance manage billions in assets, making them prime targets for cybercriminals.

The attack underscores broader security challenges in the DeFi space, where decentralized systems often rely on centralized points of failure like DNS. As adoption of DeFi grows, experts call for stronger safeguards, such as decentralized domain systems or enhanced user education on phishing risks. For now, users are advised to avoid curve.fi and curve.exchange until the platform confirms the issue is resolved.