Global DNS Infrastructure Attack Redirects Banking Traffic Through Malicious Servers

A sophisticated attack on global DNS infrastructure redirected traffic intended for approximately 30 major banking websites through attacker-controlled servers for approximately six hours on January 15, 2026. The attack exploited vulnerabilities in the Border Gateway Protocol (BGP) to hijack DNS resolver traffic.

The attackers announced unauthorized BGP routes that diverted DNS queries from multiple large ISPs to rogue DNS resolvers. These resolvers returned legitimate-looking DNS responses that pointed banking domain names to attacker-controlled servers equipped with valid TLS certificates obtained through automated certificate authorities.

An estimated 4.2 million banking sessions across North America and Europe may have been intercepted during the six-hour window. The full impact is still being assessed, but several banks have reported unauthorized transactions linked to the incident.

The attack was detected by ICANN's Security and Stability Advisory Committee (SSAC) and mitigated through coordinated action with major transit ISPs and DNS resolver operators. The incident has renewed calls for accelerated deployment of DNSSEC and BGP security mechanisms such as RPKI (Resource Public Key Infrastructure).

This represents one of the most significant attacks on internet infrastructure in recent years. The sophistication of the attack — combining BGP hijacking, DNS manipulation, and fraudulent TLS certificate issuance — suggests involvement of a well-resourced threat actor, though attribution is ongoing.