Namefi

The Malaysia Airlines DNS Hijack: "404 — Plane Not Found"

In January 2015, Lizard Squad hijacked the DNS of malaysiaairlines.com and replaced the airline site with a tuxedo-wearing lizard and the taunt "404 — Plane Not Found." No server was breached — the attackers simply changed where the domain pointed. A Domain Mayday deep-dive into how DNS became the airline's most exposed front door.

Published on June 17, 2026By Namefi Team
  • domains
  • security
  • dns
  • domain-security
The Malaysia Airlines DNS Hijack: "404 — Plane Not Found"

The plane was never found. In January 2015, neither was the website.

On the morning of January 26, 2015, anyone who typed malaysiaairlines.com into a browser did not reach the airline. They reached a hacker. The familiar booking page was gone, replaced by an image of a lizard in a top hat and monocle and a single, cruel headline: "404 — Plane Not Found." Below it: "Hacked by Lizard Squad — Official Cyber Caliphate." One browser title bar read, simply, "ISIS will prevail."

It was a joke about a graveyard. Less than a year earlier, Malaysia Airlines Flight 370 had vanished from radar with 239 people aboard. Four months after that, Flight 17 was shot out of the sky over Ukraine. Now a group of teenagers had turned the airline's own grief into a punchline served on its own front door — without ever touching its servers.

That last part is the whole story. Malaysia Airlines was not "hacked" in the way most people pictured it. Its booking systems were intact. Its passenger data sat untouched. What the attackers seized was something more fundamental and, it turns out, far easier to take: the domain name itself — the address that tells the entire internet where "Malaysia Airlines" lives.

This is a Domain Mayday case about the part of your infrastructure you probably never think about until it points somewhere else.

An airline is its domain

For a global carrier, the website is not a brochure. It is the cash register, the check-in desk, and the call center, all keyed to one string of text: malaysiaairlines.com.

Every booking, every loyalty login, every "manage my flight" link in every confirmation email resolves through that domain. When a passenger in Kuala Lumpur or London types it in, an invisible chain fires: the browser asks the Domain Name System (DNS) "where does malaysiaairlines.com live?", DNS answers with an IP address, and the browser connects. The airline's brand, its revenue, and its customers' trust all ride on that one lookup returning the right answer.

DNS is the internet's address book. It is also, for most organizations, the least-watched door in the building. You can spend millions hardening your servers, encrypting your databases, and training your staff against phishing — and none of it matters if someone can quietly change the line in the address book that says where your name points. Redirect the address, and you have redirected the company, without ever breaking into the building.

That is exactly what happened.

The hijack: a lizard where an airline used to be

Vivid colorful concept art of a glowing DNS signpost on a runway switched by an unseen hand, rerouting a stream of travelers away from a departure gate toward a dead-end wall stamped with a giant 404, neon teal and magenta

The defacement was crafted for maximum cruelty. The image of a lizard in formalwear was Lizard Squad's calling card; the group had spent the previous December knocking the Xbox Live and Sony PlayStation Network offline over the holidays. By January it had wrapped itself in the imagery of a "Cyber Caliphate," posturing as ISIS-aligned even as researchers treated the claim with deep skepticism.

The site, as visitors found it, displayed a picture of a lizard in a top hat and monocle, as well as the text "404-Plane Not Found". Wikipedia's account of the group records the same scene: users were redirected to another page bearing an image of a tuxedo-wearing lizard, and the page carried the headline "404 - Plane Not Found", an apparent reference to the airline's loss of flight MH370 the previous year.

The cruelty was the point. MH370 had disappeared from radar on 8 March 2014, all 239 people aboard eventually presumed dead, and the wreckage never conclusively located. MH17 had been shot down by Russian-backed forces with a Buk 9M38 surface-to-air missile on 17 July 2014, killing all 298 aboard. To stamp "Plane Not Found" across the airline's homepage was to weaponize the worst year in the company's history — and to broadcast it to every customer trying to reach the site.

Then came the threat. The group tweeted that it would "dump some loot found on www.malaysiaairlines.com servers soon," and even posted a screenshot it claimed showed passenger itineraries. For an airline already drowning in a year of catastrophe, the idea that customer data was loose was its own kind of disaster.

How it happened: the address book, not the building

Vivid colorful concept art of a futuristic switchboard operator pulling a glowing cable from the correct socket and plugging it into a fake one, streams of light-traffic diverting off a runway toward an impostor terminal, electric blues and warm orange

Here is the technical heart of it, and the reason this case belongs in a domain-security series rather than a server-breach one.

Malaysia Airlines' own statement, repeated across the coverage, drew the distinction precisely: Malaysia Airlines confirms that its Domain Name System (DNS) has been compromised where users are re-directed to a hacker website when www.malaysiaairlines.com URL is keyed in. The airline insisted its website was not hacked and this temporary glitch does not affect their bookings and that user data remains secured, adding that its web servers are intact.

Both things were true at once: the site was wrecked, and the servers were fine. The attackers never needed the servers. As The Register put it, DNS records for the site have been interfered with so that surfers are being redirected to a hacker-controlled site. They changed the address book entry, not the building it pointed to. Even the malice was filed in the metadata: a Whois check at the time showed ISIS will prevail listed as the site's title.

Where was that address book kept? At the registrar. The airline's domain appears to be registered with Web Commerce Communications Limited — a.k.a. Webnic — which has offices in Singapore, Malaysia and China. That name matters, because Webnic was about to become infamous.

A month later, the same registrar was at the center of a far larger incident. As Brian Krebs reported, attackers seized control over Webnic.cc, the Malaysian registrar that serves both domains and 600,000 others, then leverage[d] their access at Webnic.cc to alter the domain name system (DNS) records for Lenovo and Google Vietnam. The mechanism, Krebs reported, was a command injection vulnerability in Webnic.cc to upload a rootkit — persistent access to the very system that controls where hundreds of thousands of domains point.

You do not have to break into Google to redirect google.com.vn. You do not have to break into an airline to redirect its homepage. You only have to compromise the layer that owns the answer to "where does this domain live?" — the registrar account and the DNS records behind it. That layer sits outside the perimeter most companies actually defend.

Impact and response

For the airline, the damage was reputational and operational rather than data-theft. Customers trying to book or check in hit a defacement. Headlines worldwide paired the words "Malaysia Airlines" with "hacked" — a brand already in crisis now associated with a lizard taunting it about its missing plane.

The airline moved to contain it the only way a DNS hijack can be contained: by working through the layer that had been subverted. It said it had resolved the issue with its service provider and that the system is expected to be fully recovered within 22 hours. That timeline is itself a DNS tell: even after you fix the records, the bad answer can linger in caches around the world until it expires. A hijack is fast to commit and slow to fully unwind.

On the data-dump threat, the airline held its line — bookings unaffected, user data secured — and the catastrophic leak the group boasted about never materialized as described. But "we weren't really breached, the attackers only controlled our entire public identity for the better part of a day" is a difficult message to land with the traveling public. To a customer staring at "404 — Plane Not Found," the distinction between a server breach and a DNS hijack is invisible. The site was the airline. And for a day, the site belonged to someone else.

What this teaches about DNS as your front door

The Malaysia Airlines hijack is a textbook lesson precisely because nothing was breached in the conventional sense. The takeaways generalize to almost every organization online:

  1. Your domain is a single point of failure you don't control alone. The registrar holds the master record of where your name points. If their account security — or their software — fails, your perfectly hardened servers are irrelevant. Webnic proved this twice in one month, with an airline and then with Google and Lenovo.

  2. A DNS hijack needs no breach of you. Attackers redirected the address book, not the building. Defenses that watch your servers, your code, and your network can miss an attack that happens entirely at the naming layer.

  3. Lock the records that can move your name. Registry Lock and registrar-level locks exist specifically to stop unauthorized changes to your DNS and nameserver records — they add a manual, out-of-band step before anyone can repoint your domain. For a high-value domain, they are not optional.

  4. Reach for DNSSEC and 2FA at the registrar. Strong authentication on the registrar account and DNSSEC signing on the zone raise the cost of exactly the silent record-swap that defaced Malaysia Airlines.

  5. Recovery is slower than the attack. TTLs and global caches mean a hijack outlives its fix. Plan for the cleanup window, not just the patch.

The uncomfortable summary: most companies guard the building and leave a sticky note on the front door telling everyone which building to walk into. Change the note, and you have moved the company.

The Namefi angle

Colorful illustration of verifiable, tamper-resistant domain ownership — a domain card secured by a green shield, a green Namefi token, and DNS continuity

The Malaysia Airlines hijack is, at its core, a question of who is allowed to change where a name points — and how easily that authority can be quietly stolen at the registrar layer. The attack didn't defeat cryptography or crack a database. It defeated the soft, account-based control plane that decides the most important fact about a domain: where it resolves.

Namefi is built on the idea that domain ownership and control should behave like a verifiable, internet-native asset rather than a line item in a registrar's database that one compromised account can rewrite. Tokenized ownership makes the question "who controls this domain, and did that control just change hands?" auditable and tamper-evident, while staying compatible with DNS. The defense against a hijack is not only stronger passwords — it is making unauthorized changes visible and provable instead of silent.

Malaysia Airlines never lost its servers. It lost the answer to a single question — where does this name point? — for about a day. The plane was never found. The website should never have been lost either. The lesson of Domain Mayday is that the address book is part of the perimeter, and the day you forget that is the day a lizard in a top hat moves into your front door.

Sources and further reading

About the author(s)

Namefi Team
Namefi Team • Namefi
TwitterLinkedIn

Namefi is a collective of engineers, designers, and operators who obsess over building tools that make managing your onchain domain names effortless.

Related guides