blog.ethereum.org mailing list incident | Ethereum Foundation Blog

On June 23, 2024 at 00:19 am UTC, a phishing email was sent to 35,794 email addresses by updates@blog.ethereum.org with the following content
<img alt="" src="https://storage.googleapis.com/ethereum-hackmd/upload_0f0d80e6ed3355cdb8ef9ffe16015286.jpg” class=”chakra-image css-hw6q2r”/>

Users who clicked the link in the email were sent to a malicious website:
<img alt="" src="https://storage.googleapis.com/ethereum-hackmd/upload_61b8ccf9fbb6ff301133f4a04b81d9fc.png” class=”chakra-image css-hw6q2r”/>

This website had a cryptocurrency drainer running in the background, and if a user started their wallet and signed the transaction requested by their website, their wallet would have been emptied.

Our internal security team immediately launched an investigation to help determine who launched the attack, what the attack was aimed at, when it occurred, who was affected, and how it happened.

Some of the initial actions taken were:

• The threat actor was prevented from sending additional emails.
• I sent notifications via twitter and email not to click on the link in question.
• The malicious access path that the threat actor had used to gain access to the mailing list provider has been closed.
• He submitted the malicious link to several blacklists and was then blocked by most web3 wallet providers and Cloudflare.

Our investigation into the attack showed that:

• The threat actor imported a large email list of their own into the mailing list platform for use in the phishing campaign.
• The threat actor exported the email addresses of the blog's mailing list, which totaled 3,759 email addresses.
• When we compared the emails from the email list that the threat actor had imported, we could see that the blog's email list contained 81 email addresses that the threat actor had no prior knowledge of, and the rest were duplicate addresses.
• Analysis of on-chain transactions made to the threat actor between the time he sent the email campaign and the time the malicious domain was blocked appears to show that no victims lost funds during this specific campaign sent by the threat actor.

As we continue to work through this incident, we have taken additional steps, such as migrating some email services to other providers, to help further reduce the risk of this happening again.

We deeply regret that this incident occurred and are working diligently with our internal and external security team to help address and investigate this incident.

Any questions can be directed to security@ethereum.org.