According to what was reported yesterday by the Ethereum Foundation, on June 23 the organization’s email server was compromised in order to deliver a scam crypto staking service on Lido.
The hackers exploited the over 35,000 addresses subscribed to the Ethereum newsletter to promote a phishing email with the official address of the group.
In the message, users were invited to stake crypto on Lido taking advantage of a 6.8% yield incentive. However, by clicking on the scam platform, they were actually authorizing the draining of the wallet
Let’s see in detail what happened.
Breached the email server of the Ethereum Foundation: crypto hacker advertises a Lido scam platform
On June 23, a hacker broke into the Ethereum Foundation’s mail server with the intent of promoting a crypto scam to the newsletter subscribers.
According to what was reported yesterday by the same insiders of the organization, phishing messages were sent to 35,794 contacts containing drain links.
In detail, the subject advertised a fake staking on Lido with a particularly high yield of 6.8% on stETH, WETH, and ETH.
To make the announcement more truthful, the official email address of the Ethereum Foundation updates@blog.ethereum.org was used.
The hacker also had to justify the exaggerated performance, being actually 3% on the real platform.
For this reason, he wrote that Ethereum was collaborating with Lido to offer more benefits to the community, and that staking was “guaranteed and protected.”
By clicking on the “begin staking” button in the phishing email, users were redirected to a scam dapp that mimicked an interface similar to Lido’s.
Up to this point, nothing harmful, even connecting the wallet to the fake Lido website in the background.
However, trying to “stake” on the fraudulent application, a request was received in the wallet, which if confirmed would compromise the entire portfolio.
With a single click, all the funds would have been drained and sent directly into the scammer’s pockets.
This story reminds us how important it is to always check the domain of the dapp we are using by always doing a double check.
Unfortunately, it is not sufficient to go through official sources because, as in this case, they too can be compromised.
The post-mortem response of Ethereum to the phishing attack
The response from the Ethereum Foundation took a few days after the crypto scam was circulated with their own email.
On July 2nd, with an official post, the core developer Tim Beiko explained what happened to his community.
The hacker allegedly breached the email provider of Ethereum “SendPulse” managing to gain unauthorized access.
The foundation is still working with SendPulse to fix the problem, but it seems that for now the hack has been averted.
The malicious actor no longer has access to the contacts of the Ethereum development organization and everything seems to have been resolved.
Furthermore, the scam message promoted has been forwarded to various blacklists of web3 wallet providers to avoid contamination issues.
The attacker has indeed exported about 3,759 addresses from the blog’s mailing list, probably with the intent to use them for other scams.
Then, following further investigations, Ethereum discovered the existence of a database containing new email addresses not included in the company list.
As written verbatim by Beiko:
“the mailing list of the blog contained 81 email addresses of which the threat actor was not previously aware and the rest were duplicate addresses.”
This means that some users not abandoned to the organization might have received the phishing email and that the scam could have been reproduced elsewhere.
Confirming we managed to send out an update. We should have locked down all external access, but still confirming. https://t.co/QJJPSW2fuY pic.twitter.com/sqmL4EmJbc
— timbeiko.eth (@TimBeiko) June 23, 2024
In the end, all’s well that ends well: it doesn’t seem that there have been any cases of draining and no crypto has been stolen from the attack.
The Ethereum Foundation has written the following to reassure its users from the scam attempt:
“Analysis of on-chain transactions carried out by the threat actor between the moment they sent the email campaign and the moment the malicious domain was blocked, seem to demonstrate that no victim lost funds during this specific campaign sent by the threat actor.”
Scam and exploit in the crypto world: hackers in search of visibility and reliability
Scammers are constantly looking for opportunities to gain visibility through the official account of a recognized and reliable entity in the crypto world.
The latest attempt to attack the Ethereum Foundation, with which a scam version of Lido was promoted, is just the latest in a long series of similar episodes.
In an online context full of messages, it is not easy for hackers to stand out from the crowd: often in fact they position themselves in the comments of an official post in the hope of being seen by the more naive.
Obtaining access to a reliable and recognized communication tool by the crypto community is, however, the best method to attract more users.
This time the attack was unsuccessful because on one hand the Ethereum Foundation was quick to block the sending of numerous emails. On the other hand, probably the target of Ethereum subscribers is particularly prepared and expert in cryptographic topics, so they were not fooled.
In the past, however, there have been many similar scam attempts: On June 26, a marketing email address for the blockchain network Hedera Hashgraph was also hacked to send scam emails.
on June 23, 3 days earlier, a member of MakerDAO had lost 11 million dollars after interacting with a fake web app.
Even on the new blockchain of TON it seems that phishing attacks are on the rise, with malicious users trying to take advantage of the network’s periods of popularity.
In general, however, as reported by Peckshield, the thefts recorded on blockchain in June have decreased compared to those observed in May.
In fact, the cryptographic losses in this sense dropped to 176 million dollars last month, compared to 385 million dollars in May.
From 2016 to today, as reported by DeFiLlama, the hacks and exploits overall amount to 8.3 billion dollars.