- Two high-profile Njalla-registered domains have been hijacked, probably by phishing actors.
- The buyers of the domains haven’t received a 2FA confirmation, so this was either a problem on Njalla’s or a SIM-swap action.
- The privacy-respecting domain registration service has acknowledged the issue but refused to make public comments.
There have been reports about domains controlled by the Njalla registrar changing hands without triggering 2FA notices or ever giving their operators a chance to intervene and stop the transfer. One report comes from Dark.Fail, an anonymous researcher who likes to dive deep into the Tor network, and another one comes from DarknetLive.
DarknetLive has posted the following message about the situation:
“Darknetlive suddenly lost control of the darknetlive.com domain which was formerly at Njalla. At some point today, the domain was transferred to Tucows without my permission or knowledge. Darknetlive.com is currently serving phishing links. It is unclear how we will proceed going forward but domain recovery seems unlikely. It is still unclear how this party obtained access to the njalla account (assuming that is how they obtained the domain transfer authorization code). Darknetlive.com is compromised. Do not trust any content on the site unless I post another message signed with this PGP key.”
Njalla was founded by Peter Sunde Kolmisoppi, who co-founded The Pirate Bay back in 2003. It is a privacy-aware domain service that buys the domain for the account of an anonymous individual and accepts cryptocurrency payments (among others) to help the registrants maintain their anonymity. So, Njalla is actually an in-betweener, representing an anonymous domain owner to the name registration service. Typically, Njalla owns the domain but grants the buyers full usage rights while also allowing ownership transfer actions.
It seems that somehow, malicious actors used phishing tricks to abuse that last part, shifting the ownership of the aforementioned (and possibly more) domains to themselves. There was no official response from Njalla’s side yet, but P. S. Kolmisoppi has acknowledged the issue and stated that they are working on it. According to the man, they can’t comment on user issues of this kind publicly because they are, in essence, a privacy-respecting service.
Thus, we really don’t know what happened and on what level, and so we will only warn you not to visit or trust the two hijacked domains. Possibly, this affects only a small portion of Njalla-registered domains, but again, we have no way to tell, so beware and stay tuned for any updates on this one.