- Two high-profile Njalla-registered domains have been hijacked, probably by phishing actors.
- The buyers of the domains haven’t received a 2FA confirmation, so this was either a problem on Njalla’s or a SIM-swap action.
- The privacy-respecting domain registration service has acknowledged the issue but refused to make public comments.
There have been reports about domains controlled by the Njalla registrar changing hands without triggering 2FA notices or ever giving their operators a chance to intervene and stop the transfer. One report comes from Dark.Fail, an anonymous researcher who likes to dive deep into the Tor network, and another one comes from DarknetLive.
DarknetLive has posted the following message about the situation:
Njalla was founded by Peter Sunde Kolmisoppi, who co-founded The Pirate Bay back in 2003. It is a privacy-aware domain service that buys the domain for the account of an anonymous individual and accepts cryptocurrency payments (among others) to help the registrants maintain their anonymity. So, Njalla is actually an in-betweener, representing an anonymous domain owner to the name registration service. Typically, Njalla owns the domain but grants the buyers full usage rights while also allowing ownership transfer actions.
It seems that somehow, malicious actors used phishing tricks to abuse that last part, shifting the ownership of the aforementioned (and possibly more) domains to themselves. There was no official response from Njalla’s side yet, but P. S. Kolmisoppi has acknowledged the issue and stated that they are working on it. According to the man, they can’t comment on user issues of this kind publicly because they are, in essence, a privacy-respecting service.
Thus, we really don’t know what happened and on what level, and so we will only warn you not to visit or trust the two hijacked domains. Possibly, this affects only a small portion of Njalla-registered domains, but again, we have no way to tell, so beware and stay tuned for any updates on this one.