Njalla-Controlled Domains Strangely Changed Hands

  • Two high-profile Njalla-registered domains have been hijacked, probably by phishing actors.
  • The buyers of the domains haven’t received a 2FA confirmation, so this was either a problem on Njalla’s or a SIM-swap action.
  • The privacy-respecting domain registration service has acknowledged the issue but refused to make public comments.

There have been reports about domains controlled by the Njalla registrar changing hands without triggering 2FA notices or ever giving their operators a chance to intervene and stop the transfer. One report comes from Dark.Fail, an anonymous researcher who likes to dive deep into the Tor network, and another one comes from DarknetLive.

DarknetLive has posted the following message about the situation:

“Darknetlive suddenly lost control of the darknetlive.com domain which was formerly at Njalla. At some point today, the domain was transferred to Tucows without my permission or knowledge. Darknetlive.com is currently serving phishing links. It is unclear how we will proceed going forward but domain recovery seems unlikely. It is still unclear how this party obtained access to the njalla account (assuming that is how they obtained the domain transfer authorization code). Darknetlive.com is compromised. Do not trust any content on the site unless I post another message signed with this PGP key.”

Njalla was founded by Peter Sunde Kolmisoppi, who co-founded The Pirate Bay back in 2003. It is a privacy-aware domain service that buys the domain for the account of an anonymous individual and accepts cryptocurrency payments (among others) to help the registrants maintain their anonymity. So, Njalla is actually an in-betweener, representing an anonymous domain owner to the name registration service. Typically, Njalla owns the domain but grants the buyers full usage rights while also allowing ownership transfer actions.

It seems that somehow, malicious actors used phishing tricks to abuse that last part, shifting the ownership of the aforementioned (and possibly more) domains to themselves. There was no official response from Njalla’s side yet, but P. S. Kolmisoppi has acknowledged the issue and stated that they are working on it. According to the man, they can’t comment on user issues of this kind publicly because they are, in essence, a privacy-respecting service.

Thus, we really don’t know what happened and on what level, and so we will only warn you not to visit or trust the two hijacked domains. Possibly, this affects only a small portion of Njalla-registered domains, but again, we have no way to tell, so beware and stay tuned for any updates on this one.



Cryptocurrency Scammers Have Hijacked Twitter Account of Argentinian Politician

Bitcoin scammers have taken over the Twitter account of a prominent political person in Argentina.The actors are leading their prospective victims to...

Researchers Find 19 Petabytes of Data Exposed Online and Accessible by Anyone

There is enough exposed data out there to fill tens of thousands of high-capacity hard drives.It appears that Chinese admins using Hadoop...

“Bulletproof Hosting” Operators Pleaded Guilty in American Court

Four key members of a popular and successful “bulletproof hosting” provider have admitted their guilt.They are now facing maximum penalties of 20...