Web3 protocol mass phishing campaign timeline

Avatar

On Jan. 23, the users of multiple Web3 protocols and companies were hit with a mass phishing campaign by scammers. Over $580,000 worth of crypto has so far been lost in the attack, which used emails sent from the official email addresses of WalletConnect, Token Terminal, Social.Fi and De.Fi, as well as Cointelegraph.

Here is a timeline of what happened:

10:03 am UTC: WalletConnect announced that its users have been receiving malicious emails: “We’re aware of an email that appears to have been sent from an email address linked to WalletConnect prompting recipients to open a link to be able to claim an airdrop. We can confirm that this email was not issued directly from WalletConnect or any WalletConnect affiliates, and that the link appears to lead to a malicious site.”

The WalletConnect team claimed it was working with blockchain security firm Blockcaid to determine how the attacker gained access to the team’s email domain. Blockaid subsequently shared the report from its own X account.

10:11 am UTC: Cointelegraph received an alert on Telegram that its official email address was sending out scam emails to subscribers. Cointelegraph staff also started to report internally that they had received the malicious email. The message (screenshot below) claimed to be a “10th Anniversary Web3 Exclusive Airdrop” and links to a malicious protocol.

Malicious email sent from an official Cointelegraph email address. Source: Cointelegraph

The Cointelegraph information technology department was immediately alerted to the problem and, in turn, contacted the company’s email provider, MailerLite, to determine the cause. Meanwhile, the IT team successfully blocked the malicious links, preventing them from being sent to anyone else.

Cointelegraph also posted to X other social media platforms, warning that it was not promoting an airdrop and that users should not click links from emails claiming otherwise.

Approximately 11:00 am UTC: Cointelegraph became aware of the WalletConnect report and began an investigation, contacting Blockcaid in an attempt to gain more information. Soon after, security sleuth ZachXBT reported on Telegram that the phishing attack was coming from “CoinTelegraph, WalletConnect, Token Terminal, and De.Fi.”

11:41 am UTC: Cointelegraph reported on the hack

1:34 pm UTC: Cybersecurity service Hudson Rock released a report claiming that it discovered malware on a computer belonging to an employee of MailerLite, the same email service used by all the websites that sent out the malicious emails. Hudson Rock theorized that this malware may have allowed the attacker to gain access to MailerLite’s servers, which may explain how the phishing campaign occurred. Cointelegraph updated its coverage to include Hudson Rock’s claims.

According to the report, “Hudson Rock researchers identified a recently infected computer of a MailerLite employee with accesses to sensitive URLs within MailerLite & its third parties.” The computer had access to login credentials for the URL admin.mailerlite.com/admin, which appears to be the login page for MailerLite employees.

In addition, the computer contained valid cookies for Slack.com and Office365, which could have been used to perform session hijacks to obtain private information. The cybersecurity firm claimed to have obtained an image of the user’s desktop at the time the attack happened, which revealed “that they were compromised when trying to execute an infected software.”

Alleged image of the MailerLite employee’s PC at the moment of attack. Source: Hudson Rock

Hudson Rock cautioned that this evidence did not prove that the phishing campaign was caused by this malware infection, as “it is uncertain whether MailerLite suffered an exploit or not.” However, the evidence “illustrates how a single infostealer infection could be detrimental to any company” and provides a plausible hypothesis for how the phishing campaign may have been possible.

4:55 pm UTC: Blockaid released a report on the results of its investigation, claiming that the attacker “was able to leverage a vulnerability in email service provider Mailer Lite to impersonate web3 companies, draining $600k+.”

Cointelegraph reached out to MailerLite, which responded that it is currently carrying out its own investigation. At the time of publication, it has not yet provided its report.