@briankrebs ...did not expect that to be the mechanism. Wow.
In case folks are interested, we ( @DomainTools ) uploaded all DNS records observed for about a hundred sites listed by the cryptocurrency community as vulnerable, going back to 2024-07-01. Hopefully it helps some investigators and blue teamers.
(Inclusion does not necessarily indicate compromise.)