In a recent security breach, the Ethereum Foundation’s official communication channel was manipulated to endorse a fraudulent Lido staking proposal. The breach, disclosed in a new statement, occurred on June 23 when the Foundation’s email system was infiltrated.
The cybercriminals utilized the [email protected] address to distribute deceitful messages to 35,794 recipients. These emails falsely announced a partnership between the Ethereum Foundation and the Lido decentralized autonomous organization (LidoDAO), promising an attractive 6.8% return on staked Ether (stETH), Wrapped Ether (WETH), or Ether (ETH) deposits.
The announcement boasted of a synergy that “combines the expertise of both entities to offer substantial liquidity and competitive incentives, elevating your staking journey with more than 100 integrations.” It also assured users that the staking service would be “secured and authenticated” by the Ethereum Foundation.
A conspicuous “Begin Staking” call-to-action at the end of the email led unsuspecting users to a fraudulent website, ingeniously named “Staking Launchpad,” which was, in reality, a trap with a cryptocurrency draining script running covertly.
Screenshot of the phishing email crafted by the perpetrator | Courtesy of Ethereum Foundation’s blog
Snapshot of the deceptive website linked in the phishing email | Courtesy of Ethereum Foundation’s blog
Clicking the “Stake” button on this site prompted users to authorize a transaction within their wallets, which, if confirmed, would result in the siphoning of their funds.
Despite the alarming situation, the Ethereum Foundation has since regained control over the hacked email account. Their investigation reveals that, fortunately, no assets were lost due to the attack. An analysis of the blockchain transactions linked to the hacker’s email campaign, up until the point when the malevolent domain was blocked, indicates that no victims were financially harmed.
The investigation also uncovered that the hacker had introduced a database with email addresses outside the Foundation’s subscriber base, leading to non-subscribers also receiving the scam emails. Additionally, the “blog mailing list email addresses” exported by the attacker contained 3,759 entries, of which only 81 were unique, the rest being duplicates. Thus, it’s estimated that the privacy of 81 subscribers was compromised.
In response, the Foundation has proactively contacted various wallet services, blacklists, and the DNS provider Cloudflare, urging them to alert users about the hazardous website.
The crypto community is all too familiar with phishing attempts via email. Earlier in June, prominent figures in the crypto space alerted the public about a significant email service provider compromise, which led to the circulation of scams promoting fictitious airdrops. This incident followed previous phishing attempts that exploited the email addresses of well-known crypto organizations.
For further reading:
Ethereum’s annual revenue hits a new high, reaching $2.7 billion.