The Ethereum Foundation (EF) this week disclosed a phishing campaign that targeted its email subscribers. The attack that took place on June 23, saw a malicious email sent to over 35,794 recipients from the compromised email account of ethereum – “[email protected]”.
The phishing email sent from this address leveraged social engineering tactics, luring users with the promise of a high annual percentage yield (APY) through a fake collaboration between Ethereum and Lido DAO. Clicking the embedded “Begin staking” button led victims to a well disguised website designed to steal cryptocurrency from unsuspecting users’ crypto wallets.
Dissecting the Ethereum Mailing List Attack
Investigators discovered the attacker used a combined email list, incorporating both their own addresses and a subset of 3,759 addresses harvested from the Ethereum blog’s mailing list. Fortunately, only 81 of the obtained addresses were new to the attacker.
The phishing email advertised a lucrative 6.8% APY on staked Ethereum. Upon clicking the malicious link and attempting to connect their wallets, users would unknowingly initiate a transaction that would drain their crypto holdings straight into the attacker’s wallet.
Swift Response and Ongoing Measures
The Ethereum Foundation’s security team swiftly responded to the incident. They identified and blocked the attacker from sending further emails, while simultaneously alerting the community via Twitter about the malicious campaign. Additionally, the team submitted the fraudulent link to various blocklists, effectively hindering its reach and protecting users of popular Web3 wallet providers and Cloudflare.
While on-chain analysis revealed no successful thefts during this specific campaign, the EF emphasizes the importance of vigilance. They have implemented additional security measures and are migrating some email services to mitigate future risks.
Similar Incidents
This incident highlights the evolving tactics of cybercriminals who exploit trust in reputable organizations to target cryptocurrency users. In February, crypto scammers devised a new tactic to deceive owners of Ethereum Name Service (ENS) domains, commonly recognized by their “.eth” extension. The ENS email phishing scam involved sending emails to ENS owners, purportedly alerting them about the expiration of their domains. But, as seen in the latest campaign victims were directed to fraudulent platforms designed to siphon their funds.
Nick Bax, a prominent figure in cryptocurrency analysis, first reported the crypto scam, suggesting that attackers could be exploiting the extensive data leaked from previous data breaches. This leak potentially provides scammers with access to genuine email addresses associated with [.]eth accounts, facilitating the targeting of ENS owners.
Security professionals and crypto enthusiasts alike should remain vigilant against phishing attempts and prioritize verifying information before interacting with suspicious links or investment opportunities.