The ethereum Foundation's email account was hacked to promote a scam disguised as a Lido staking scheme.
According ethereum.org/en/2024/07/02/blog-incident” target=”_blank” rel=””>A recent announcementThe ethereum Foundation email account used to send official updates was compromised on June 23.
The attackers used the email address (email protected) to send fraudulent emails to 35,794 addresses.
In the email, users found an announcement that the ethereum Foundation had collaborated with the Lido decentralized autonomous organization (LidoDAO). As part of the partnership, a 6.8% yield is offered on staked Ether (stETH), Wrapped Ether (WETH) or Ether
eth deposits were offered.
“The collaboration leverages the strengths of both organizations to provide deep liquidity and competitive rewards, enhancing your staking experience with over 100 integrations,” an excerpt from the announcement read.
He added that the staking service would be “protected and verified” by the ethereum Foundation.
At the bottom of the ad was a button that said “Start Staking.” Clicking on it would redirect users to a website created by the attackers.
The malicious website, dubbed “Staking Launchpad,” allegedly had a cryptocurrency drainer running in the background. Additionally, the website was designed to look professional.
Anyone who clicks the “Stake” button on the website will be asked to approve the transaction in their wallet. If approved, all funds will be drained from the user’s account.
No funds were lost
At the time of writing, the foundation claimed it had gained control of the compromised email address. According to the foundation's investigation, no funds were lost in the attack.
“Analysis of on-chain transactions made to the threat actor between the time he sent the email campaign and the time the malicious domain was blocked appears to show that no victims lost funds during this specific campaign sent by the threat actor,” the foundation noted.
The foundation also discovered that the hacker had uploaded a database containing email addresses that were not part of the foundation's subscriber list. As a result, several users who had not subscribed also received the fraudulent email.
The attacker also exported the “blog mailing list email addresses” which contained 3,759 email addresses. However, the list contained only 81 email addresses and the rest were “duplicate addresses.”
The attack was estimated to have compromised the email addresses of 81 subscribers.
Meanwhile, the foundation has also reached out to several wallet providers, blacklists and DNS provider Cloudflare urging these platforms to warn users if they are redirected to the malicious website.
The cryptocurrency industry is no stranger to email phishing schemes.
In early June, several key figures in the crypto world warned about a major email provider that had been compromised and that users were receiving scams promoting fake airdrops. Prior to that, the email addresses of several major crypto-related entities had been used to send phishing emails.