A hacker infiltrated the Ethereum Foundation‘s email system and sent fraudulent emails to 35,794 recipients using 81 email accounts belonging to subscribers.
According to a blog post published on July 2, the Ethereum Foundation’s “update” email account was hacked and utilized to disseminate a phishing scheme on June 23. The foundation has reclaimed the account, and the illicit emails are no longer being transmitted.
According to the post, the official updates@blog.ethereum.org email address sent 35,794 fraudulent emails to the foundation’s subscribers and others.
The foundation’s investigation determined that the assault did not result in any cryptocurrency losses for the victims. Nevertheless, the perpetrator may have obtained the email addresses of 81 subscribers.
The emails contained a fabricated announcement that the Ethereum Foundation has formed a partnership with the Lido decentralized autonomous organization (LidoDAO) to provide a 6.8% yield on staked Ether (stETH), Wrapped Ether (WETH), or Ether deposits.
It informed subscribers that staking would be “Protected and Verified by The Ethereum Foundation.”
A malicious web application advertised as a “Staking Launchpad” was directed to users who selected the “Begin Staking” button in the email. A transaction was transmitted to the user’s wallet by choosing the “Stake” option within this application. The post stated that the user’s wallet would have been depleted if they had authorized this transaction.
The foundation responded by prohibiting the perpetrator from sending additional emails after identifying malicious emails. It also “closed off the malicious access path the threat actor had used to obtain access into the mailing list provider,” ensuring that the attacker could no longer access the email address.
It also distributed notifications to various blocklists, Web3 wallet providers, and Cloudflare to ensure that users would receive messages if they attempted to access the malicious website.
After further investigation, the Ethereum Foundation discovered that the perpetrator had uploaded a database containing new email addresses that were not part of the Ethereum Foundation’s subscriber list, implying that some users who were not on the list may have nevertheless received the scam emails.
In addition, the perpetrator “exported the blog mailing list email addresses, which was a total of 3759 email addresses.”
The foundation endeavored to ascertain whether the assailant acquired any new email addresses due to the exploit. It was determined that “the blog mailing list contained 81 email addresses that the threat actor was previously unaware of, and the remaining addresses were duplicates.”
“Analyzing on-chain transactions made to the threat actor between the time they sent out the email campaign and the time the malicious domain got blocked, appear to show that no victims lost funds during this specific campaign sent by the threat actor.”
Phishing campaigns are a prevalent method for crypto users to lose their funds. On June 23, a MakerDAO member lost $11 million due to multiple erroneous token approvals, which were reportedly the result of interacting with a fraudulent web application. On June 26, a marketing email address for the blockchain network Hadera Hashgraph was also compromised to send out email scams.