Hacking at the Ethereum Foundation. 35,794 Phishing Emails Sent

On 23 June, the Ethereum Foundation’s ‘update’ email account was compromised by hackers, who orchestrated a major phishing scam.

Immediate reaction

A detailed report on the incident was published by the foundation on 2 July. The attackers used the official email address, updates@blog.ethereum.org, to send 35,794 phishing emails to foundation members and other individuals. Upon discovering the attack, the Ethereum Foundation acted quickly to regain control of the compromised account. It was ensured that no further malicious emails were sent, and the access path used by the attackers to infiltrate the mailing list provider was blocked.

Content of the phishing e-mail

The phishing emails falsely announced a partnership between the Ethereum Foundation and the Lido Decentralised Autonomous Organisation (LidoDAO). They promised a 6.8 per cent return on Ether staked (stETH), Wrapped Ether (WETH) or Ether deposits (ETH), claiming they would be ‘Protected and Verified by the Ethereum Foundation’.

Recipients were directed to click on a ‘Start Staking’ button, which led them to a fake web application posing as a ‘Staking Launchpad’. Within this malicious app, clicking on the ‘Stake’ button would initiate a transaction on the user’s wallet, potentially draining funds if the transaction was approved.

Investigation and security measures

The foundation’s in-depth investigation revealed that the attacker had sent e-mails to 3,759 unique addresses from the foundation’s blog mailing list, along with other addresses not previously known to the foundation. They found that 81 email addresses on the blog mailing list were new and not previously known to the attacker.

Importantly, the investigation concluded that no users lost cryptocurrency due to the phishing scam. Analysis of on-chain transactions showed no funds transferred to the attacker’s account by victims during the campaign.

Defence Actions

In response to the attack, the Ethereum Foundation took several preventive measures:

• Blockingfurther emails. They immediately blocked the attacker from sending further emails.
• Email account security. The foundation closed the malicious access path used by the attacker.
• Notification of authorities and platforms. Alerts were sent to various blacklists, Web3 wallet providers and Cloudfare to warn users of the malicious site.

In addition, the foundation sent warnings to affected subscribers and ensured that their mailing list was protected against future attacks.

General context and similar incidents

Phishing campaigns area known method of stealing funds from cryptocurrency users. This incident follows another significant phishing attack on 23 June, where a MakerDAO member lost $11 million due to incorrect token approvals after interacting with a fake web application. Similarly, on 26 June, the marketing email address for the Hadera Hashgraph blockchain network was hacked, leading to scam emails being sent.

For cryptocurrency users, this incident should serve as a reminder to stay alert against phishing scams and verify the authenticity of communications purporting to come from trusted sources.