LOGO_CRYPTO_SIGHT

Ethereum Foundation Email Hacked to Promote Lido Staking Phishing Scam

By Vy Tran | July 4, 2024

A hacker broke into the Ethereum Foundation’s email server, sending scam emails to 35,794 people and recording 81 subscriber email addresses in the process. On June 23, the Ethereum Foundation’s “update” email account was compromised and used to promote a phishing scam, according to a July 2 blog post from the foundation. The foundation has since recovered the account, and the malicious emails are no longer being sent out.

According to the post, 35,794 scam emails were sent to the foundation’s subscribers and other individuals using its official updates@blog.ethereum.org email address. The foundation’s investigation concluded that no victims lost cryptocurrency from the attack. However, the attacker may have exposed the email addresses of 81 subscribers.

The emails contained a fake announcement stating that the Ethereum Foundation had partnered with the Lido decentralized autonomous organization (LidoDAO) to offer a 6.8% yield on staked Ether (stETH), Wrapped Ether (WETH), or Ether (ETH) deposits. It assured subscribers that staking would be “Protected and Verified by The Ethereum Foundation.”

 

Ethereum Foundation hacker phishing email. Source: Ethereum Foundation

Users who clicked the “Begin Staking” button in the email were directed to a malicious web app, which advertised itself as a “Staking Launchpad.” Clicking the “Stake” button within this app pushed a transaction to the user’s wallet. If the user had approved this transaction, their wallet would have been drained, the post stated.

Fake “Staking Launchpad” advertised by hacker. Source: Ethereum Foundation

When the malicious emails were discovered, the foundation responded by blocking the attacker from sending more emails. It also “closed off the malicious access path the threat actor had used to obtain access into the mailing list provider,” ensuring that the attacker could no longer access the email address. Additionally, the foundation sent out notices to various blacklists, Web3 wallet providers, and Cloudflare so that users could receive warnings if they attempted to navigate to the malicious site.

After further investigation, the Ethereum Foundation discovered that the attacker had uploaded a database containing new email addresses that were not part of the Ethereum Foundation’s subscriber list, implying that some users who were not on the list may have nevertheless received the scam emails. In addition, the attacker “exported the blog mailing list email addresses, which was a total of 3,759 email addresses.”

The foundation attempted to determine if the attacker obtained any new email addresses from the exploit. It found that “the blog mailing list contained 81 email addresses that the threat actor did not previously have knowledge of, and the rest were duplicate addresses.”

Despite the breach, the attacker appears to have gained no crypto loot from the attack. The foundation stated: “Analyzing on-chain transactions made to the threat actor between the time they sent out the email campaign and the time the malicious domain got blocked, appear to show that no victims lost funds during this specific campaign sent by the threat actor.”

Phishing campaigns are a common way for crypto users to lose their funds. On June 23, a MakerDAO member lost $11 million after making several mistaken token approvals, apparently after interacting with a fake web app. On June 26, a marketing email address for the blockchain network Hadera Hashgraph was also hacked to send out scam emails.

Source: Cointelegraph

Tags: ,

Comments