Pierluigi Paganini
July 05, 2024
Hackers compromised Ethereum’s mailing list provider and on the night of June 23, they sent an email to the 35,794 addresses. The email was sent from the address ‘updates@blog.ethereum.org’ and included a link to a malicious site running a crypto drainer.
“This website had a crypto drainer running in the background, and if a user initiated their wallet and signed the transaction requested by their website their wallet would have been drained.” reads the incident notice published by Ethereum.
The message was crafted to trick the recipient into visiting a malicious website by announcing a collaboration with Lido DAO and offering a 6.8% annual percentage yield (APY) on staked Ethereum.
The internal security team quickly launched an investigation into the security breach. The team is notifying users via X and email and secured the infrastructure to prevent similar attacks in the future.
Confirming we managed to send out an update. We should have locked down all external access, but still confirming. https://t.co/QJJPSW2fuY pic.twitter.com/sqmL4EmJbc
— timbeiko.eth (@TimBeiko) June 23, 2024
The security group also submitted the malicious link to blacklists, resulting in it being blocked by most web3 wallet providers and Cloudflare.
The threat actors sent phishing messages to addresses included in a large email list and 3,759 email addresses exported from the blog mailing list. Among these, 81 were new to the attacker. On-chain transaction analysis indicated that no funds were lost during this specific campaign.
“As we continue working on this incident, we have taken additional measures such as migrating some mail services to other providers, to further help reduce the risk of this happening again.” concludes the notice.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, phishing)
