Njalla-Controlled Domains Strangely Changed Hands

By Bill Toulas / April 30, 2021

Two high-profile Njalla-registered domains have been hijacked, probably by phishing actors.
The buyers of the domains haven’t received a 2FA confirmation, so this was either a problem on Njalla’s or a SIM-swap action.
The privacy-respecting domain registration service has acknowledged the issue but refused to make public comments.

There have been reports about domains controlled by the Njalla registrar changing hands without triggering 2FA notices or ever giving their operators a chance to intervene and stop the transfer. One report comes from Dark.Fail, an anonymous researcher who likes to dive deep into the Tor network, and another one comes from DarknetLive.

My domain dark[.]fail was hijacked 12hr ago. I am not in control of it. DarknetLive's domain was also stolen.

We are not the same person. Our registrar Njalla is the common denominator between both attacks. My 2FA was on. I received no emails from Njalla. Something is broken.
— dark.fail (@DarkDotFail) April 30, 2021

DarknetLive has posted the following message about the situation:

“Darknetlive suddenly lost control of the darknetlive.com domain which was formerly at Njalla. At some point today, the domain was transferred to Tucows without my permission or knowledge. Darknetlive.com is currently serving phishing links. It is unclear how we will proceed going forward but domain recovery seems unlikely. It is still unclear how this party obtained access to the njalla account (assuming that is how they obtained the domain transfer authorization code). Darknetlive.com is compromised. Do not trust any content on the site unless I post another message signed with this PGP key.”

Njalla was founded by Peter Sunde Kolmisoppi, who co-founded The Pirate Bay back in 2003. It is a privacy-aware domain service that buys the domain for the account of an anonymous individual and accepts cryptocurrency payments (among others) to help the registrants maintain their anonymity. So, Njalla is actually an in-betweener, representing an anonymous domain owner to the name registration service. Typically, Njalla owns the domain but grants the buyers full usage rights while also allowing ownership transfer actions.

It seems that somehow, malicious actors used phishing tricks to abuse that last part, shifting the ownership of the aforementioned (and possibly more) domains to themselves. There was no official response from Njalla’s side yet, but P. S. Kolmisoppi has acknowledged the issue and stated that they are working on it. According to the man, they can’t comment on user issues of this kind publicly because they are, in essence, a privacy-respecting service.

https://twitter.com/brokep/status/1388075234507493376

Thus, we really don’t know what happened and on what level, and so we will only warn you not to visit or trust the two hijacked domains. Possibly, this affects only a small portion of Njalla-registered domains, but again, we have no way to tell, so beware and stay tuned for any updates on this one.

This website uses cookies to ensure you get the best experience on our website.

Njalla-Controlled Domains Strangely Changed Hands

A New Well-Concealed Phishing Scam Targets Apple Users via Call

‘Thallium’ Continues Targeting South Korean Government and Key Entities

Spammers Today Can Start a Phishing Business With a Handful of Dollars

The Chrome Browser Gets a Brand New Phishing Protection System

New Phishing Campaigns Target Netflix Users and AMEX Customers

Phishing Campaign Stole Coinbase Users One-Time Passwords