Hackers hijacked the LEGO website and put up a banner urging users to buy a fraudulent cryptocurrency associated with the toy manufacturer. When users clicked the banner, it directed them to a decentralized exchange where they could buy the scam tokens with Ethereum.

LEGO responded quickly to remove the malicious links and banners. The toy manufacturer also assured users that no user accounts were compromised and that it had taken preventive measures to prevent future incidents.

Hackers make LEGO an unwitting accomplice 

The attackers would have intended to capitalize on LEGO’s brand reputation, which has become a growing trend in crypto scams. 

Typically, these crypto scammers find a trusted or influential third party, breach their security protocols, and promote their scams to unsuspecting victims through the mediums they trust. It is easy for users to fall victim to this type of scam since it looks like it’s coming from a trusted source.

In June 2024, the Ethereum Foundation’s email system was compromised and used to promote a drainer link to its 35,794 subscribers. A similar event occurred when the official X (formerly Twitter) account of the iconic band, Metallica was compromised and used to promote a scam Solana token called $METAL, which generated a trading volume of about $10 million.

Crypto scams have become more sophisticated over the years, evolving from Ponzi schemes and fraudulent ICOs to more advanced techniques like drainers, phishing attacks, and hacks. 

According to a report published by Immunefi, about $1.2 billion has been lost to crypto scammers in 2024.

Security breaches are growing in variety and sophistication

While LEGO did not offer an explanation of how it got hacked, most of these attacks are carried out by syndicates as they are often too complex for an individual to attempt. They employ both on- and off-chain tools to coordinate scams.

On-chain attacks include exploiting vulnerable contracts, while off-chain attacks include phishing and hacking. These syndicates usually maintain smaller simultaneous campaigns to avoid immediate detection.

LEGO’s silence has caused speculations of how the breach happened to grow. 

A possible scenario is a poorly configured or ineffective web application firewall (WAF), which prevents malicious traffic from getting into a website. If a WAF is poorly configured, hackers can gain unauthorized access, which would allow them to insert malicious links into the website.

Hackers may gain access to a website by exploiting an external service provider or a third party the website uses. Also, attackers can gain access to websites through phishing, credential stuffing, or exploiting other security vulnerabilities. 

Cryptopolitan reported that hackers breached the Discord of five crypto projects in one week in August. Another notable example was when Crypto.com lost $33 million of users’ funds after attackers bypassed their 2FA requirements for fund transfers. 

The LEGO hack only shows the variety of attack vectors and the sophistication of attackers, with even well-known brands becoming victims and unwilling accomplices. The implication of this breach may go beyond financial loss, but it might be too early to tell. 

In the meantime, customers have to trust that the breach was contained before more damage could be done as LEGO has been economical with information about the breach.