Hackers hijack OpenEden DNS in latest crypto phishing wave

OpenEden made headlines today, February 16, as the established tokenized asset management platform announced that attackers had compromised the Domain Name System (DNS) for both its main website and user portal, creating an immediate wallet security threat for anyone attempting to access the platform through regular web browsers.

“It appears that the DNS for both openeden.com and portal.openeden.com is compromised. Do NOT interact with them,” the Singapore-based company posted on their X account. 

The warning emphasized that while “all reserve assets remain SAFU and can be verified via OpenEden’s Chainlink Proof-of-Reserve feed,” users who visit the hijacked domains can lose their wallet’s assets. 

The OpenEden team stated that it was currently investigating the breach and promised to provide updates as the situation develops.

A huge blow for key player in the crypto industry

The DNS compromise caused a lot of concern, especially given OpenEden’s role as a major institutional custodian of tokenized real-world assets. The company was founded in 2022 in Singapore and operates as an issuer of tokenized US treasury bills through its flagship TBILL token, which provides investors with direct access to tokenized treasury bills backed by corresponding securities kept in segregated accounts.

The platform grew to become a key player in the crypto space and became the first tokenized RWA issuer to receive A ratings from investment analysts (A from Moody’s and AA+ from S&P Global Ratings) for its Treasury fund. 

With such a large industrial footprint (serving professional investors, DAO treasuries, and other firms), the DNS compromise creates risk for DeFi users, but more so for bigger market participants who assume that institutional-grade platforms have enterprise-level security protecting their web access points.

How did the DNS attack happen?

DNS hijacking attacks work by compromising the Internet’s addressing system. The Domain Name System works like the Internet’s phonebook, translating human-readable domain names like “openeden.com” into number-based IP addresses that computers use to route traffic. 

As such, when attackers hijack a domain’s records, they can redirect visitors to malicious sites without touching the original platform’s infrastructure.

In OpenEden’s case, users typing “openeden.com” or “portal.openeden.com” into their browsers would be rerouted to attacker-owned servers hosting fake versions of the original platform. 

These fake sites would replicate the original interface pixel for pixel, and then prompt users to connect their wallets. After connecting, the malicious site can then request transaction signatures that appear on the website like normal website interactions, but are actually authorizing transfers of tokens to attacker wallets.

Luckily, this attacker operates independently of OpenEden’s smart contracts and reserve custody systems. The platform’s TBILL and USDO tokens remain secure in their respective vaults, and all the reserve assets backing those tokens continue to be verifiable through Chainlink’s Proof of Reserve oracles. 

This means that the DNS attack only creates risk for users who visit the hijacked domains and interact with the phishing interface, forcing OpenEden to announce a warning to all users to stop interacting with their website.

Latest in wave of DNS attacks targeting crypto platforms

The OpenEden incident falls into a concerning pattern of DNS hijackings targeted at crypto platforms. In November 2025, Aerodrome Finance (the largest decentralized exchange on Coinbase) was hijacked by attackers, seizing control of the platform’s domain registration to re-route traffic to a fake site. 

Aerodrome’s smart contracts remained uncompromised, but the phishing site was able to trick unsuspecting users into signing transaction approvals that drained wallets of ETH, USDC, and various other tokens.

In the same vein, Curve Finance experienced a DNS hijacking in May 2025 when attackers infiltrated the domain registrar “iwantmyname” and tweaked the DNS delegation for the “curve.fi” domain. 

Naturally, users were redirected to other sites, but Curve’s team responded by migrating to a secure alternative domain and urging users to access the platform through Ethereum Name Service (ENS) mirrors instead of the traditional DNS.

DNS attacks work well for crypto platforms in particular because users must connect wallets and sign transactions frequently, which creates various opportunities for phishing sites to target. 

OpenEden has not disclosed how the attackers gained control of its DNS records or which registrar manages its domains, as the investigation is still ongoing. 

However, the platform has not provided a timeline for when safe access to their domains would be restored. In the meantime, users looking to verify reserve holdings can access the Chainlink Proof of Reserve directly for real-time information on assets connected to OpenEden.

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.