On June 23, there was a breach in the security of the Ethereum Foundation’s official email account used for updates, leading to the dissemination of fraudulent emails in a phishing scam, as reported in a blog post dated July 2 by the foundation. The foundation has successfully regained control of the compromised account, thereby putting a halt to the circulation of deceitful emails.
The blog post revealed that a total of 35,794 scam emails were dispatched to recipients subscribed to the foundation’s mailing list and others utilizing the authentic [email protected] email address. Following an investigation carried out by the foundation, it was determined that none of the recipients fell prey to losing any cryptocurrency due to this cyber attack. However, it was disclosed that the personal email addresses of 81 subscribers might have been exposed to the perpetrator.
The deceptive emails contained a fabricated announcement asserting a partnership between the Ethereum Foundation and the Lido decentralized autonomous organization (LidoDAO), offering a 6.8% yield for staking Ether (stETH), Wrapped Ether (WETH), or Ether (ETH) deposits. The email assured recipients that their staking endeavors would be “Protected and Verified by The Ethereum Foundation.”
Recipients who interacted by clicking the “Begin Staking” option within the email were redirected to a malicious web application posing as a “Staking Launchpad.” By clicking the “Stake” button on this fraudulent platform, a transaction was initiated towards the user’s wallet. It was emphasized in the post that had the user authorized this transaction, “their wallet would have been drained.”
Upon the discovery of these malevolent emails, the foundation promptly took action by preventing the attacker from dispatching additional scam emails. Furthermore, they fortified the security measures by closing off the illicit access point that the threat actor had utilized to infiltrate the mailing list provider, barring any further unauthorized access. Notifications were also sent to various blacklists, Web3 wallet providers, and Cloudfare to caution users against accessing the deceptive website.
Subsequent investigations by the Ethereum Foundation unveiled that the attacker had uploaded a database containing fresh email addresses not included in the foundation’s subscriber list, implying that some non-subscribers might have still received the fraudulent emails. Additionally, the attacker “exported the blog mailing list email addresses, which numbered 3759 in total.”
Efforts were made by the foundation to ascertain whether the attacker managed to acquire any new email addresses through the breach. It was disclosed that “the blog mailing list included 81 email addresses that were unknown to the threat actor prior, while the remainder were duplicates.”
The good news is that no cryptocurrency was siphoned by the attacker during this incident. The foundation emphasized the prevalence of phishing campaigns as a common threat to crypto users, citing examples such as the $11 million loss incurred by a MakerDAO member on June 23 due to mistaken token approvals after engaging with a counterfeit web application. Furthermore, on June 26, the marketing email address of the Hadera Hashgraph blockchain network was also compromised to issue fraudulent emails, exemplifying the ongoing risks faced within the crypto community.