TLDR:
- Attackers socially engineered OVHcloud support to remove hardware 2FA, enabling full account access within an hour.
- The phishing site used an Inferno Drainer kit and ran live for roughly four hours on March 30, 2026.
- ICANN’s five-day domain transfer lock gave Steakhouse Financial time to cancel an outbound transfer filed by the attacker.
- Steakhouse vaults on Morpho operated independently throughout; no depositor funds were at risk at any point.
A social engineering attack briefly redirected Steakhouse Financial’s website to a phishing page on March 30, 2026.
Attackers manipulated the domain registrar’s support team to strip account security protections. The phishing site ran for roughly four hours before the team reclaimed control. No user funds were lost, and no onchain contracts were touched.
How Attackers Broke Into Steakhouse Financial’s Domain Registrar
The attacker called OVHcloud, the domain registrar used by Steakhouse Financial, and posed as the account owner. They provided enough personal information to pass OVH’s phone-based identity check.
An OVH support agent then removed the hardware-based two-factor authentication on the account.
Within seconds of logging in, the attacker ran automated scripts. These deleted every second-factor device on the account and enrolled their own. The speed pointed to a pre-planned operation.
The attacker then redirected the domain’s nameservers to servers under their control.
They pointed the site’s A records to a cloned version of the Steakhouse website hosted on Hostinger. That cloned site carried a wallet drainer linked to Inferno Drainer, a known drainer-as-a-service operation.
Let’s Encrypt TLS certificates were obtained within minutes. This made the phishing site appear legitimate to standard browsers. Wallet extensions from Phantom, MetaMask, and Rabby flagged the site as malicious independently and quickly.
Steakhouse Financial Regained Control Within Hours, Funds Remained Safe
Steakhouse Financial’s team spotted the unauthorized email-change notification at 08:47 UTC and contacted OVH immediately. The phishing site went live around 09:59 UTC.
The team posted a public warning on X at 10:34 UTC, under 30 minutes after the site became operational.
The Security Alliance (SEAL) was brought in at 11:25 UTC while the attack was still active. The team worked across multiple parallel tracks. These included account recovery, DNS forensics, and transfer cancellation.
The attacker had filed an outbound domain transfer. ICANN’s five-day transfer timelock gave the team time to cancel it.
The team contacted Hostinger directly to reject the transfer on the receiving end. Hostinger later confirmed the offending account was frozen and closed.
By 12:56 UTC, the team had reclaimed the OVH account. DNS was fully restored by approximately 13:55 UTC. Steakhouse Financial confirmed all domains were safe to use by April 1.
The company has since migrated to a registrar supporting hardware-key MFA and registrar-level locks. A continuous DNS monitoring system now watches all Steakhouse domains in real time. According to the post-mortem published by Steakhouse Financial on X, a full vendor security review process is now being established across all supply-chain vendors.
Adrian Cachinero Vasiljevic, the partner responsible for operations at Steakhouse Financial, issued a personal apology. He stated that identifying this attack vector was his responsibility and committed to driving the security hardening work going forward.
