Ethereum Foundation email hacked to promote Lido staking phishing scam
On July 23, the Ethereum Foundation's “Update” email account was hacked and used to promote a phishing scam, according to a July 2 blog post from the foundation. The Foundation has restored the account, and malicious emails will no longer be sent.
According to the article, 35,794 fraudulent emails were sent to the foundation's subscribers and other individuals through the official updates@blog.ethereum.org email address. The foundation's investigation concluded that no victims lost any cryptocurrency in the attack. However, the email addresses of 81 subscribers may have been exposed to the attacker.
The emails contained a false advertisement claiming that the Ethereum Foundation partnered with the Lido Decentralized Autonomous Organization (LidoDAO) to offer a 6.8% yield on deposits of Ether (stETH), Bundle Ether (WETH), or Ether (ETH). He told subscribers that holding shares would be “secured and guaranteed by the Ethereum Foundation.”
Users who clicked on the “Start Staking” button in the email were taken to a malicious web application, which advertised itself as “Staking Launchpad.” Clicking the “Stake” button from within this app pushes a transaction to the user's wallet. If the user approved this transaction, their “wallet would be depleted,” the post said.
When the malicious emails were discovered, the foundation responded by blocking the attacker from sending further emails. It also “blocked the malicious access path the threat actor used to log into the mailing list provider by ensuring the attacker could not access the email address. And sent notifications to various blacklists, Web3 Wallet providers, and Cloudfarer to alert users if they tried to navigate to a malicious website.”
After further investigation, the Ethereum Foundation found that the attacker had uploaded a database containing new email addresses that were not included in the Ethereum Foundation subscriber list, indicating that some users who were not on the list could receive fraudulent emails. The attacker also “exported blog mailing email addresses, totaling 3759 email addresses.”
The foundation tried to determine whether the attacker obtained any new email addresses from the exploit. The blog's mailing list contained 81 email addresses that the threat actor did not previously know, and the rest were duplicate addresses.
Related: Tons of Ecosystems Flooded with Phishing Attacks, SlowMist Warns
Fortunately, it seems that the attacker did not get any crypto exploits from the attack. The foundation said:
“Analysis of on-chain transactions for the threat actor between the time they sent the email campaign and when the malicious domain was shut down, shows that no victims lost their money in this particular campaign sent by this threat actor.”
Phishing campaigns are a common way for crypto users to lose their money. On June 23, a MakerDAO member lost $11 million after making several botched token validations, apparently after connecting to a fake web app. On June 26, the blockchain network's marketing email address Hadra Hashgraph was also hacked to send phishing emails.