July 24, 2024

Yesterday, it was revealed that the Ethereum Foundation’s email server was compromised on June 23, in a malicious attempt to promote a fraudulent crypto staking service on Lido.

The attackers used more than 35,000 email addresses gathered from Ethereum’s newsletter to launch a phishing campaign from the official Ethereum email address.

The phishing email encouraged users to stake their crypto assets on Lido for a supposed high return rate of 6.8%. However, the links embedded within the email led to a fraudulent platform that would empty the user’s wallet.

An in-depth look at the cyberfraud involving the Ethereum Foundation and a fake Lido platform

On June 23, cybercriminals breached Ethereum Foundation’s email server and used it to propagate a fake staking service on Lido to Ethereum’s newsletter subscribers.

The phishing messages—delivered to about 35,794 contacts—contained malicious links that could drain their wallets. The deception enticed users with a supposed high yield of 6.8% using stETH, WETH, or ETH.

In an attempt to make it appear authentic, the offender used the official Ethereum Foundation email address. They made up an explanation that Ethereum was partnering with Lido to provide increased benefits to Ethereum’s community. Following available links would effectively drain the connected wallets into the attacker’s, however.

Phishing email depicting a fraudulent collaboration with Lido. Source: https://x.com/TimBeiko/status/1804693090944553186.

The fake “ Staking Launchpad ” of Lido is shown in this image. Source: https://x.com/_TOBTC/status/1808392380468584932/photo/1

Ethereum’s response to the phishing attack

Days after the fraudulent emails started circulating, the Ethereum Foundation finally addressed the issue. Core developer Tim Beiko gave an official account of the attack to the Ethereum community on July 2nd, explaining that their email provider, SendPulse, had been breached.

The foundation continues to work with SendPulse to rectify the issue. As of this time, it appears that the attacker no longer has access to the foundation’s contact list. Furthermore, the fraudulent message has been forwarded to web3 wallet providers’ blacklists to prevent the spread of the crypto scam.

Through an ongoing investigation, Ethereum discovered a new database containing additional email addresses not on the foundation’s list. This indicates the possibility of additional recipients of the phishing email, with the potential for further replication of the scam.

Fortunately, according to Ethereum, it appears that no crypto funds were lost as a result of the scam.

Rise of scams and exploits in the crypto world

Malicious actors continually seek opportunities to gain notoriety by infiltrating official and trusted entities within the crypto world, devising sophisticated cyberfrauds in the process. This recent attack on the Ethereum Foundation, and thereby a bogus version of Lido, is just the latest instance.

Such attacks aren’t new; As recent as June 26, the blockchain network Hedera Hashgraph had its marketing email compromised to spread scam emails, and a few days earlier, a MakerDAO member lost $11 million due to a fake web app.

A report by Peckshield reveals that blockchain thefts for June have decreased compared to May, with cryptographical losses dropping from $385 million in May to $176 million last month. Between 2016 and now, hacks and exploits have resulted in losses amounting to a staggering $8.3 billion.

Source: https://defillama.com/hacks

Frequently Asked Questions

How did the hacker carry out the attack on the Ethereum Foundation’s email server?

The cybercriminal accomplished the attack by breaching Ethereum Foundation’s email server, where they launched a phishing campaign to Ethereum’s newsletter subscribers from the official Ethereum email address. The phishing emails directed users to a fraudulent Lido platform that falsely promised a 6.8% yield on staking.

What actions has the Ethereum Foundation taken in response to this cyber attack?

The Ethereum Foundation responded to the attack by collaborating with their email provider, SendPulse, to address the issue. They have also forwarded the fraudulent message to various blacklists of web3 wallet providers to prevent the scam from spreading.

How can such attacks be prevented in the future?

One of the best ways to prevent such attacks is always to verify the authenticity of the email or message sender and the linked websites. Suspicious emails should be reported, and users should always double-check before participating in any offers related to staking, particularly those promising exceptionally high returns.