The Digital Defense Report that Microsoft recently issued includes a typical rogue’s gallery of cyberthreats, including phishing, ransomware, and supply-chain attacks. But it adds an unusual villain to the list: blockchain domains.
“The next big threat” is how Microsoft’s latest annual security report characterizes domain names written into a distributed ledger maintained across a constellation of computers instead of stored in a traditional, centralized registry.
Storing domain names on a blockchain can make them difficult to shut down or even trace to their owners. It also leaves them inaccessible without special software or settings.
“In recent years, we have observed blockchain domains integrated into cybercriminal infrastructure and operations,” the report says, nodding to Microsoft’s experience last spring disrupting a botnet called Necurs.
That botnet used a domain-generating algorithm to create new hosts in bulk—including under the .bit blockchain top-level domain, leaving them unable to be policed like a .com or other standards-compliant domain.
The potential for abuse led a group called OpenNIC, which promotes alternatives to the traditional domain-name system, to vote in 2019 to block the .bit domain lest the organization be “directly responsible for the creation of a whole new class of malware.”
Adds Microsoft’s report: “This trend of threats leveraging blockchain domains as infrastructure with the means to create an undisputable criminal network should be taken seriously.”
Can’t stop ’em
Among proponents of a decentralized internet, meanwhile, you’ll see a common response to the critique that blockchain domains can’t be taken down: Yes, that’s correct.
As the sales pitch on the homepage of one blockchain-domain registrar, Unstoppable Domains, reads: “Unlike traditional domains, Unstoppable Domains are fully owned and controlled by the user with zero renewal fees ever (you buy it once, you own it for life!).”
It quotes one-time registration fees ranging from $20 to $100 under such blockchain top-level domains as .crypto, .wallet, .coin, .888 and .x, although costs can escalate dramatically for shorter, more memorable domains. For example, potomacriver.x would cost $100 versus $7,500 for potomac.x.
Over email, Unstoppable Domains CEO Matthew Gould rejected the idea that his San Francisco-based company is an irresponsible actor. He noted the company’s trademark-compliance policies (its site would not let me start registering fastcompany.x, showing that domain as “protected”) and its measures to screen applicants.
“We have also prevented the registration of domains associated with known pirating software or other types of IP theft and fraud,” he wrote, adding that Unstoppable can even take back a domain if registrants park it with its custody service instead of transferring it to their own cryptocurrency wallet—the former option being an easier route that about 75% of registrants take today.
Gould also rejected the notion that blockchain domains were optimized for malware, countering that they would instead increase trust for cryptocurrency transactions.
“Anonymous users want to generate new addresses every time as this is best practice,” he wrote. “Domains create a single memorable nonchanging endpoint that actually makes crypto payments less anonymous.”
Microsoft declined to expand on the findings in the report.
Special browser required
Sean Gallagher, senior threat researcher with the research firm Sophos, wrote in an email that while blockchain domains have been used for malware, their need for custom routing made them an inefficient option for such attacks, since malware can’t spread via garden-variety web browsers that don’t support the domains. He also noted that blockchain domains offer less privacy than Tor, the cloaked routing system used to evade many censorship regimes: “They don’t offer anonymity for the destination.”
The simplest way to route yourself to a blockchain domain, such as brad.crypto—the web space of Unstoppable Domains cofounder Bradley Kam—is to use one of the few browsers already supporting that namespace, such as the Chrome-based, privacy-optimized Brave. Type in brad.crypto into Brave’s address bar, click to accept the blockchain routing, and you should see Kam’s gallery of NFT (non-fungible token) artwork.
Kevin Werbach, a professor at the University of Pennsylvania’s Wharton School, who noted that he’d just registered kwerb.eth (that suffix references another blockchain domain system, the Ethereum Name Service), said he doubted browser support for blockchain domains would expand anytime soon.
“Google, Apple, and Microsoft aren’t going to provide native support without a comfort level about addressing those concerns,” he wrote. That will leave adoption depending on people’s willingness to switch browsers, install browser extensions, or custom-configure DNS settings—the latter two practices being the sort of tinkering occasionally abused for malware.
“DNS has security vulnerabilities which are partly due to its centralized structure, but putting domain names on a blockchain creates a new set of security risks,” Werbach added. “I don’t think we know enough to make categorical statements about the magnitude of the relative risks.”
The prevailing frothiness of cryptocurrency and blockchain hype provides reason for skepticism.
Mike Masnick, publisher of the Techdirt tech-policy blog and an advocate for a more decentralized social internet, lauded the potential for blockchain domains “to create both a different kind of incentive structure and one in which users may retain more control over their own information.”
But then he added that the blockchain space today is “filled almost entirely by mercenary folks looking for profit, which has some useful elements—in terms of bringing in funding and incentivizing certain behaviors, but also has the real potential for prioritizing pure profit over societal benefit.”
Masnick didn’t point out the parallels with today’s commercial social media. But why would he have to?