Zombie dApps: Abandoned Web3 Sites Revived as Wallet Drainers

When crypto projects shut down, their web site domain names are often abandoned. Attackers are now re-registering these domains and using them to steal users’ funds.

Attackers revive abandoned dApp domains that remain linked from reputable DeFi platforms and news sites. By reusing the project’s original branding and reputation, attackers can trick users into signing malicious transactions to empty their wallets.

We call them Zombie dApps. So far, we’ve identified over 100 cases, and helped protect users from them in collaboration with DeFi aggregator platforms and crypto threat monitoring teams.

Why Attackers Reanimate Dead dApps

When decentralized applications front-ends and marketing websites go offline, their digital legacy persists. Expired web domains associated with popular or once-legitimate projects become a valuable asset for attackers. But why would anyone bother to revive the digital corpse of a defunct project?

Inherited Visibility and Trust

Abandoned dApp domains often come with a rich set of residual visibility. Think social media threads, video walkthroughs, DeFi aggregators like DeFiLlama and DappRadar, and historical mentions on CoinMarketCap and news sites. Attackers can exploit this footprint to instantly gain apparent legitimacy and reputation that a newly registered domain could never achieve.

A Passive Funnel, Not a Phishing Hook

Unlike typical phishing campaigns, Zombie dApp attacks do not need to use unsolicited messages or social engineering to lure victims. Instead of suspicious emails or random DMs, users can be funneled naturally from legitimate and long-standing sources. Clicking on a link in a tutorial video or browsing a DeFi aggregator may redirect users to the attacker’s traps.

Slipping Past Domain Reputation Defenses

The residual credibility of these domains allows malicious dApps to bypass crypto security extensions, wallets, and scanners that deprioritize alerts for well-established or previously trusted sites. Wallets and security browser extensions that rely on domain age, popularity, or prior classification to reduce false positives can be blind to zombie dApp threats.

These are the kinds of risks we take into account when evaluating wallet security. See our Wallet Security Ranking for more.

Hunting Zombies

In 2025, Coinspect identified and reported over a hundred web domains repurposed for malicious use. Following these reports, the domains were promptly blocked on aggregators and added to wallet blocklists, protecting users from being attacked. This coordinated effort likely saved many users from falling into traps.

The Resurrection Wave

Our monitoring revealed that many of these cases weren’t isolated. On May 31, attackers registered over 90 domains using NameSilo, LLC as registrar. Most were acquired within a 20-second window, pointing to automation and a precompiled list of targets.

The campaign didn’t stop there. In the following weeks, more domains with the same registrar, infrastructure, and hosting setup kept appearing. To understand how attackers scale this operation, we analyzed the infrastructure behind the repurposed domains.

Common Zombies Deployment Pattern

Across all domains identified in the campaign, attackers followed a consistent infrastructure strategy to deploy wallet drainers at scale. While DNS providers vary slightly, nearly all domains exhibit the same redirection flow and final hosting destination.

DNS and Hosting Setup:

• 77% of domains use Vercel nameservers (ns1.vercel-dns.com, ns2.vercel-dns.com) and are hosted directly on Vercel. In these cases, Vercel handles both DNS and hosting.
• 17% use DNSOwl as nameserver provider but return A records pointing to Vercel infrastructure. Although DNS is managed externally, the domains still resolve to and respond from Vercel.
• 6% use NSOne nameservers and point directly to Netlify. These skip Vercel entirely but behave the same way.

Redirect Pattern:

None of these domains serve malicious content directly. Instead, they immediately redirect to a Netlify subdomain, where the actual wallet drainer is hosted. These Netlify destinations rotate frequently, likely in response to blocklisting or takedown efforts.

Case Study: astar.exchange

One example illustrates how attackers continue to exploit this pattern beyond the initial May 31 spike. The domain astar.exchange was left unregistered for 69 days:

• Dropped: April 25, 2025
• Re-registered: July 3, 2025

Shortly after registration, the new owner deployed a fake frontend posing as a shutdown notice. The page encouraged users to “withdraw any staked funds” by connecting their wallets. This setup targeted users who had previously interacted with the project and might return to recover funds they believed were still locked in the protocol.

Although astar.exchange wasn’t part of the May 31 batch, it used the same infrastructure and wallet-draining tactics, confirming the campaign remained active into July.

Sharpened Stake Finale

The campaign came to an abrupt end after one of the operators exposed a GitHub username in a public repository linked to their infrastructure. That clue led us to a Telegram handle listed in the same repo. We began following the trail and eventually attempted to contact the account. Shortly after, the GitHub repository was deleted, the Telegram handle went offline, and, most notably, the rotating redirect domains stopped. It marked the sudden end of a campaign that had evaded takedown efforts for weeks.

Half-Dead Effort, A Threat Yet to Mature

While this particular operation is over, the techniques used were simplistic and lacked sophistication. Even in this basic form, they posed a real threat to users. If future attackers adopt more polished approaches, these scams could become significantly harder to detect and more damaging.

No UI replication: The zombie dApps didn’t recreate the original user interface. Instead, they showed generic messages like “project shutting down, withdraw funds” to trick users into connecting their wallets. Rebuilding the original UI would likely make the attack more convincing,

Redirections reduce potential trust signals: The zombie domains immediately redirect to another site. While this simplifies deployment, it breaks continuity with the original domain and can trigger warnings in wallets. For instance, Rabby Wallet treats aggregator listings as a trust signal and shows warnings when a domain isn’t listed. By redirecting to a new, unlisted domain, the attackers caused a warning that could have been avoided by serving the drainer directly from the original, previously listed domain.

No control over social channels: So far, we haven’t seen attackers restoring email services (e.g. via DNS MX records) to recover access to the project’s original accounts on Twitter, Discord, or other platforms. The focus has remained on domain traffic only. But if future attacks combine domain ownership with control over legacy communication channels, impersonation attempts will become much harder to spot.

Sunsetting dApps Safely

If you’re a developer or team winding down a Web3 project, don’t leave a security hole behind. Here are concrete steps to ensure your dApp rests in peace, instead of coming back as a zombie:

• Keep the domain: Renew it, even if the project is over. It’s cheap, and it blocks attackers.

• Add a shutdown notice: Replace the frontend with a static page explaining the project is closed. Warn users not to trust future versions. Use Twitter, Discord, or your blog to explain the closure and warn about fakes.

• Notify aggregators: Tell platforms like DeFiLlama or DappRadar to delist or mark the project as inactive.

• Report to security groups: Let teams like SEAL know the domain is intentionally defunct. This helps block future abuse faster.

Contributing to Ecosystem Defense

This isn’t just about detecting active threats, we’re also working to prevent the next wave. As part of our effort to protect users, we proactively scanned and analyzed dormant domains to identify projects at risk of becoming future Zombie dApps.

We reported 475 dead URLs to DeFiLlama, flagging them as inactive or unreachable so they can be delisted or marked accordingly.

Logic We Used to Detect Parked and Abandoned dApps

To identify domains at risk of being reactivated as Zombie dApps, we used a custom script that combined content matching, network request analysis, and infrastructure error detection.

• Content analysis: We looked for telltale phrases often found on parking pages.

• Network request patterns: We flagged requests to known domain parking providers (e.g., sedo.com, bodis.com, afternic.com, hugedomains.com, etc.).

• Infrastructure errors: Domains returning DNS resolution failures, expired TLS certificates, or SSL protocol errors were also considered inactive or abandoned.

Here’s a simplified version of part of the logic:

const PARKED_CONTENT_PATTERNS = [
  'this domain is for sale',
  'domain for sale',
  'parked domain',
  'buy this domain',
];

const PARKING_URL_PATTERNS = [
  'sedo.com',
  'bodis.com',
  'afternic.com',
  'hugedomains.com',
];

function isParkedByContent(html) {
  return PARKED_CONTENT_PATTERNS.some((pattern) =>
    html.toLowerCase().includes(pattern)
  );
}

function isParkedByRequest(urls) {
  return urls.find((reqUrl) =>
    PARKING_URL_PATTERNS.some((pattern) => reqUrl.includes(pattern))
  );
}

function isDnsError(errorMessage) {
  return /ENOTFOUND/i.test(errorMessage);
}

function isCertError(errorMessage) {
  return /CERT_HAS_EXPIRED/i.test(errorMessage);
}

function isSslProtocolError(errorMessage) {
  return /ERR_SSL_PROTOCOL_ERROR/i.test(errorMessage);
}

This logic, combined with a headless browser and error classification, helped us proactively flag 475 dApp domains as dead or at risk of takeover.

You can find the full script here if you want to reproduce or extend the analysis.

Conclusion

dApp frontends remain one of the least monitored parts of the Web3 ecosystem, despite being the primary interface between users and smart contracts. That’s why we developed a system that continuously monitors dApp frontends to detect signs of hijacking, supply chain threats, repurposing, and abuse. Not just to observe, but to act when threats emerge.

This monitoring effort led to the discovery of the zombie dApp phenomenon. While the specific campaign we tracked has been shut down, the broader issue remains: dormant infrastructure can be weaponized long after a project ends.

The full dataset from our investigation is now open-sourced in the DeFiLlama GitHub. If you’re working on domain monitoring, wallet security, or threat prevention, and need a streamlined, always-updated feed of dApp-domain status get in touch. We’re open to exploring potential solutions together and publishing improvements back to the ecosystem so everyone benefits.