On the 23rd of June, a security breach occurred at the Ethereum Foundation when an unauthorized entity compromised their “update” email account. This incident was used to circulate a phishing scheme, as revealed in a blog entry dated July 2 by the foundation. The compromised account has since been reclaimed, putting an end to the distribution of the fraudulent emails.
The blog disclosed that a total of 35,794 deceptive emails were dispatched from the official email address [email protected] to the foundation’s mailing list and others. The foundation’s inquiry deduced that the cyberattack did not result in any loss of cryptocurrency for those targeted. Nevertheless, it was found that the email details of 81 subscribers might have been disclosed to the cybercriminal.
The deceitful emails broadcasted a bogus declaration that the Ethereum Foundation had entered into a partnership with LidoDAO, a decentralized autonomous organization, promising a 6.8% return on investments made in staked Ether (stETH), Wrapped Ether (WETH), or Ether (ETH). The announcement assured subscribers that their stakes would be “Protected and Verified by The Ethereum Foundation.”
Visual of the phishing email from the Ethereum Foundation hacker. Credit: Ethereum Foundation
Recipients who engaged with the “Begin Staking” prompt in the email were led to a fraudulent web application branded as a “Staking Launchpad.” Interacting with the “Stake” feature within this application would initiate a transaction from the user’s digital wallet. Had the transaction been authorized, it would have resulted in the depletion of their funds, as stated in the blog post.
Illustration of the counterfeit “Staking Launchpad” promoted by the hacker. Courtesy of Ethereum Foundation
Upon the discovery of the malevolent emails, the foundation took immediate action to prevent the assailant from sending additional messages. They also terminated the unauthorized access route the attacker had exploited to infiltrate the mailing list provider, thereby barring any further access to the email account. Notifications were sent to various blacklists, Web3 wallet services, and Cloudflare to alert users and prevent them from accessing the harmful site.
Subsequent investigations by the Ethereum Foundation uncovered that the assailant had introduced a database with new email addresses not previously associated with the foundation’s subscriber base, suggesting that even non-subscribers might have received the scam emails. Moreover, the attacker had “exported the blog mailing list email addresses, totaling 3759.”
The foundation endeavored to ascertain whether the attacker had acquired any new email addresses through the breach. It was determined that “the blog mailing list contained 81 email addresses unknown to the threat actor, with the remainder being duplicates.”
In related news, the TON ecosystem has been inundated with phishing attacks, as warned by SlowMist.
Fortunately, it appears that the attacker did not manage to acquire any cryptocurrency from the breach. The foundation remarked that phishing campaigns are a prevalent method through which crypto users can lose their assets. On June 23, a MakerDAO member suffered a loss of $11 million due to several erroneous token approvals, likely after engaging with a fraudulent web application. Similarly, on June 26, a marketing email account for the blockchain network Hedera Hashgraph was compromised to disseminate scam emails.