Ethereum Foundation email hacked to promote Lido staking phishing scam


On June 23, the Ethereum Foundation’s “update” email account was hacked and used to promote a phishing scam, according to a July 2 blog post from the foundation. The foundation has recovered the account, and the malicious emails are no longer being sent out.

According to the post, 35,794 scam emails were sent to the foundation’s subscribers and other individuals using its official [email protected] email address. The foundation’s investigation led to the conclusion that no victims lost cryptocurrency from the attack. However, the email addresses of 81 subscribers may have been exposed to the attacker.

The emails contained a fake announcement stating that the Ethereum Foundation has partnered with the Lido decentralized autonomous organization (LidoDAO) to offer 6.8% yield on staked Ether (stETH), Wrapped Ether (WETH), or Ether (ETH) deposits. It told subscribers that staking would be “Protected and Verified by The Ethereum Foundation.”

Ethereum Foundation hacker phishing email. Source: Ethereum Foundation

Users who clicked the “Begin Staking” button in the email were directed to a malicious web app, which advertised itself as a “Staking Launchpad.” Clicking the “Stake” button from within this app pushed a transaction to the user’s wallet. If the user had approved this transaction “their wallet would have been drained,” the post stated.

Fake “Staking Launchpad” advertised by hacker. Source: Ethereum Foundation

When the malicious emails were discovered, the foundation responded by blocking the attacker from sending more emails. It also “closed off the malicious access path the threat actor had used to obtain access into the mailing list provider,” ensuring that the attacker could no longer gain access to the email address. And it sent out notices to various blacklists, Web3 wallet providers, and Cloudfare so that users could receive warnings if they attempted to navigate to the malicious site.

After further investigation, the Ethereum Foundation discovered that the attacker had uploaded a database containing new email addresses that were not part of the Ethereum Foundation’s subscriber list, implying that some users who were not on the list may have nevertheless received the scam emails. In addition, the attacker “exported the blog mailing list email addresses, which was a total of 3759 email addresses.”

The foundation attempted to determine if the attacker obtained any new email addresses from the exploit. It found that “the blog mailing list contained 81 email addresses that the threat actor did not previously have knowledge of, and the rest were duplicate addresses.”

Related: TON ecosystem flooded with phishing attacks, SlowMist warns

Luckily, the attacker appears to have gained no crypto loot from the attack. The foundation stated:

“Analyzing on-chain transactions made to the threat actor between the time they sent out the email campaign and the time the malicious domain got blocked, appear to show that no victims lost funds during this specific campaign sent by the threat actor.”

Phishing campaigns are a common way for crypto users to lose their funds. On June 23, a MakerDAO member lost $11 million after making several mistaken token approvals, apparently after interacting with a fake web app. On June 26, a marketing email address for blockchain network Hadera Hashgraph was also hacked to send out scam emails.