On 2024-06-23 at 00:19 UTC, a phishing email was sent to 35,794 email addresses by updates@blog.ethereum.org with the following content
Users who clicked on the link in the email were redirected to a malicious website:
This website had a cryptocurrency drainer running in the background, and if a user initiated their wallet and signed the transaction requested by their website, their wallet would have been drained.
Our internal security team immediately launched an investigation to help determine who launched the attack, what the objective of the attack was, when it occurred, who was affected, and how it occurred.
Some of the first steps taken were:
- Prevented the threat actor from sending additional emails.
- I sent notifications via Twitter and email not to click on the link in question.
- Closed the malicious access path that the threat actor used to gain access to the mailing list provider.
- I submitted the malicious link to various blacklists, and it was subsequently blocked by the majority of Web3 wallet providers and Cloudflare.
Our investigation into the attack showed that:
- The malicious actor imported his own large email list into the mailing list platform to use in the phishing campaign.
- The threat actor exported the email addresses from the blog’s mailing list, which totaled 3,759 email addresses.
- When we compared the emails from the mailing list that the threat actor had imported, we were able to see that the blog mailing list contained 81 email addresses that the threat actor was not previously aware of, and the rest were duplicate addresses.
- Analysis of the on-chain transactions made to the threat actor between the time they sent the email campaign and the time the malicious domain was blocked, appears to show that no victims lost funds during this specific campaign sent by the threat actor.
As we continue to work through this incident, we have taken additional measures such as migrating some email services to other providers, to further reduce the risk of this happening again.
We are deeply sorry that this incident occurred and are working diligently with our internal security team as well as external security teams to help resolve and further investigate this incident.
Any questions can be addressed to security@ethereum.org.
