Skip to main content
Sign in

Neutrl DeFi DNS Frontend Hijack (March 2026)

avoid.net/neutrl-dns-hijack-march-202662/100·78% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·58rsAP…Pxeb

Summary

On March 19, 2026, DeFi protocol Neutrl experienced a suspected DNS hijack of its frontend domain, in which attackers allegedly social-engineered the protocol's DNS provider to redirect user traffic to a malicious interface targeting Permit2 wallet approvals. Neutrl paused its smart contracts as a precaution, migrated to new infrastructure by March 21, and confirmed all user funds remained safe via the protocol's custodial isolation framework. This incident is considered the earliest confirmed event in a six-week cluster of DeFi frontend hijacks in early 2026 that also struck HypurrFi (April 3) and CoW Swap (April 14).

Connected Entities

1 entities · 10 linked investigations
Protocols
Neutrl DeFi DNS Frontend Hijack (March 2026)
Relationships
    Also appears in
    edgeX Exchange·28Gamma Strategies·28Alephium Bridge·18Bunni Protocol·28BitGrail·2Thorchain DEX·14Crossmint·78Access Protocol·47Orca·80KuCoin Exchange Hack·32
    Have evidence about Neutrl DeFi DNS Frontend Hijack (March 2026)?

    Timeline(8 events)

    2025-04-16

    Neutrl raises $5 million in seed funding led by STIX and Accomplice, with participation from Amber Group, SCB Limited, Figment Capital, Nascent, Guy Young (Ethena founder), and Joshua Lim (Arbelos Markets).

    CoinDesk

    2025-11-01

    Neutrl opens to the public following completion of a $75 million pre-deposit vault campaign; NUSD becomes broadly accessible.

    IQ.wiki

    2026-03-19

    Neutrl DeFi detects a malicious event affecting its frontend, attributed to a suspected DNS hijack via social engineering of the protocol's DNS provider. Smart contracts are paused as a precaution. Users warned not to interact with the website. Investigation launched with external collaborator 0xGroomLake. Malicious contract addresses 0x23f2741EaA0045038e9b52100CdcC890163dE53F and 0xa0Adf074056E41dfB892aFC69881E15073b384b9 flagged publicly.

    Crypto Times

    2026-03-21

    Neutrl completes DNS migration to new domain (neutrl.finance / app.neutrl.finance), switches to a new DNS provider, unsuspends smart contracts, and confirms all user funds are safe. Original domain (neutrl.fi) begins gradual phase-out.

    PANews / WEEX Crypto News

    2026-04-03

    HypurrFi reports a domain hijack of hypurr.fi attributed to social engineering at registrar Openprovider — the second confirmed event in the 2026 DeFi frontend hijack cluster.

    The Block

    2026-04-14

    CoW Swap's cow.fi domain is hijacked at 14:54 UTC via social engineering of registrar Gandi through Traficom (Finland's .fi TLD authority). Approximately $1.2 million in user losses reported.

    The Block

    2026-04-15

    Web3SecNews publishes "The .fi Files" field report characterizing the Neutrl, HypurrFi, CoW Swap, and Steakhouse incidents as a coordinated campaign rather than isolated events.

    Web3SecNews (Substack)

    2026-05-12

    CoW DAO passes CIP-86, authorizing compensation for users who lost funds in the April 14 DNS hijack. No comparable compensation proposal recorded for the Neutrl incident, consistent with reports of no confirmed user losses.

    Crypto Times
    Provenance & Audit Trail
    Anchored on SolanaVerify on-chain

    Decision Log

    This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

    full audit log →version history →

    model: claude-sonnet-4-6

    generated: 6/2/2026, 8:26:13 PM

    last updated: 6/2/2026, 8:27:23 PM

    avoid.net — verified advice for a post-truth world