Timeline of the Web3 protocol mass phishing campaign
On January 23, users of several Web3 protocols and companies were hit by a massive phishing campaign by fraudsters. More than $580,000 worth of crypto has been lost so far in the attack, which used emails sent from WalletConnect, Token Terminal, Social.Fi and De.Fi, as well as official Cointelegraph email addresses.
Here's a timeline of what happened:
10:03 am UTC: WalletConnect has announced that its users are receiving malicious emails: “We are aware of an email that appears to be sent from an email address associated with WalletConnect, asking recipients to open a link so they can claim it.” Airdrop We can confirm that this email does not originate directly from WalletConnect or any of WalletConnect's affiliates, and that the link appears to lead to a malicious site.
The WalletConnect team said it is working with a blockchain security firm to determine how the attacker obtained the team's email domain. Blockaid then shared the report from its own X account.
10:11 am UTC: Cointelegraph has been notified by Telegram that its official email address is sending scam emails to subscribers. Cointelegraph employees began reporting internally that they had received a malicious email. The message (screenshot below) claims to be “10th Anniversary Web3 Exclusive Airdrop” and links to a malicious protocol.
The Scientelegraph Information Technology Department was immediately notified of the problem and, in turn, contacted the company's email provider, MailerLite, to find out the cause. Meanwhile, the IT team successfully blocked the malicious links and prevented them from being sent to anyone else.
Cointelegraph also cautioned that the weather posted on X's other social media platforms is not advertising and that users should not click on links from emails.
Fraud alert
Scammers impersonating Cointelegraph have been notified.
Cointelegraph does not offer airdrops.
Please do not respond or click on any link sent by anyone in your DM/email claiming to be a member of the Cointelegraph group.
Goodbye! pic.twitter.com/yi2VmW12xC
— Cointelegraph (@Cointelegraph) January 23, 2024
11:00 AM UTC: Cointelegraph became aware of the WalletConnect report and began an investigation, contacting Blockcaid for more information. Not long ago, security sleuth ZachXBT reported on Telegram that the phishing attacks came from “CoinTelegraph, WalletConnect, Token Terminal and De.Fi.”
11:41 am UTC: Cointelegraph reported on the hack.
1:34 pm UTC: Cyber security service Hudson's Rock released a report saying it found malware on a computer belonging to an employee of MailerLite, which is used by all websites that send malicious emails. Hudson Rock says this malware may have allowed the attacker access to MailerLite's servers, which explains how the phishing campaign occurred. Cointelegraph has updated its coverage to include Hudson Rock's claims.
MailerLite Hack Leads to Massive Cryptocurrency Theft – Exploit or Hacking Infection? pic.twitter.com/qZtBj8SAd3
— Hudson Rock (@RockHudsonRock) January 23, 2024
According to the report, Hudson's Rock researchers recently identified a MailerLite employee computer with access to sensitive URLs within MailerLite and its third parties. The computer had to obtain login credentials for the URL admin.mailerlite.com/admin, which appears to be the MailerLite staff login page.
In addition, the computer contains valid cookies for Slack.com and Office365, which can be used to perform session hijacking to obtain personal information. The cyber security firm said it had obtained an image of the user's desktop at the time of the attack, which it said “had problems when trying to execute the infected software.”
Hudson Rock cautioned that this evidence does not prove that the phishing campaign was caused by this malware infection, as it is “uncertain whether MailerLite was exposed to an exploit or not.” However, the evidence “shows how a single InfoStellar infection can affect any company” and offers a plausible hypothesis as to how the phishing campaign might have played out.
4:55 pm UTC: Blockaid released a report on the results of the investigation, saying the attacker “used a vulnerability in the email service provider Mailer Lite to impersonate Web3 companies and extort $600,000.”
Cointelegraph reached out to MailerLite, which responded that it is currently conducting its own investigation. At the time of publication, the report has not yet been submitted.
