Cyber Attack on Steakhouse Financial Repelled, Customer Assets Remain Intact

In a brazen social engineering exploit, hackers temporarily hijacked Steakhouse Financial's website on March 30, 2026, directing users to a malicious phishing page. By manipulating OVHcloud's support staff, the attackers managed to bypass critical security safeguards, exploiting a vulnerability that allowed them to pose as the account owner and convincingly provide personal details to pass the phone-based verification process. This duped an OVH support agent into disabling the account's hardware-based two-factor authentication, granting the attackers unfettered access.

Upon gaining access, the hackers rapidly deployed automated scripts, removing every secondary authentication device and enlisting their own in a matter of seconds - a clear indication of a carefully premeditated operation. The attackers then cleverly redirected the domain's nameservers to their own servers and reconfigured the site's A records to point to a counterfeit version of the Steakhouse website, cleverly hosted on Hostinger. This cloned site was equipped with a wallet-draining malware linked to the notorious Inferno Drainer, a drainer-as-a-service outfit.

To further legitimize the phishing site, the attackers rapidly acquired Let's Encrypt TLS certificates, rendering the site virtually indistinguishable from the authentic Steakhouse website to standard web browsers. However, wallet extensions from Phantom, MetaMask, and Rabby swiftly flagged the site as malicious, independently sounding the alarm.

Steakhouse Financial's team sprang into action upon detecting an unauthorized email-change notification at 08:47 UTC, swiftly contacting OVH to report the incident. The phishing site went live shortly after, at 09:59 UTC, prompting the team to issue a public warning on X by 10:34 UTC. The Security Alliance (SEAL) was promptly enlisted at 11:25 UTC, while the attack was still in progress.

Working tirelessly across multiple fronts, the team tackled account recovery, DNS forensics, and transfer cancellation. The attackers had initiated an outbound domain transfer, but ICANN's five-day transfer lockout provided the team with a crucial window to cancel the transfer. The team directly contacted Hostinger, which subsequently confirmed that the offending account had been frozen and shut down. By 12:56 UTC, the team had successfully regained control of the OVH account, and DNS services were fully restored by approximately 13:55 UTC.

In the aftermath, Steakhouse Financial confirmed that all domains were safe to use by April 1. The company has since taken proactive measures, migrating to a registrar that supports hardware-key multi-factor authentication and registrar-level locks, as well as implementing a continuous DNS monitoring system to vigilantly watch over all Steakhouse domains in real-time. Furthermore, a comprehensive vendor security review process is being established across all supply-chain vendors.

Adrian Cachinero Vasiljevic, Steakhouse Financial's partner responsible for operations, issued a personal apology, acknowledging that identifying this attack vector was his responsibility and pledging to drive security hardening efforts going forward. The incident serves as a stark reminder of the evolving threats in the crypto landscape and the importance of robust security measures to safeguard against sophisticated social engineering attacks.