The Ethereum Foundation saw its email account hacked to promote a scam masquerading as a Lido staking scheme.
According to a recent announcement, the Ethereum Foundation’s email account used to send official updates was compromised on June 23.
The attackers used the [email protected] email address to send scam emails to 35,794 addresses.
Within the email, users came across an announcement that the Ethereum Foundation had collaborated with the Lido decentralized autonomous organization (LidoDAO). As a part of the partnership, a 6.8% yield on staked Ether (stETH), Wrapped Ether (WETH), or Ether
ETH deposits were being offered.
“The collaboration harnesses the strengths of both organizations to deliver deep liquidity and competitive rewards, enhancing your staking experience with over 100+ integrations,” an excerpt from the announcement said.
Further, it added that the staking service would be “protected and verified” by the Ethereum Foundation.
At the bottom of the announcement was a “Begin Staking” button. Clicking this would redirect users to a website created by the attackers.
Phishing email created by Ethereum Foundation hacker | Source: Ethereum Foundation blog
Dubbed “Staking Launchpad,” the malicious website allegedly had a crypto drainer running in the background. Further, the website was designed to look professional.
The fake website is linked to the email sent by the hacker | Source: Ethereum Foundation blog
Anyone clicking on the “Stake” button on the website would be asked to approve the transaction in their wallet. If approved, all funds from the user’s account would be drained.
No funds lost
At the time of writing, the foundation said it had gained control of the compromised email address. As per the foundation’s investigation, no funds were lost in the attack.
“Analyzing on-chain transactions made to the threat actor between the time they sent out the email campaign and the time the malicious domain got blocked appear to show that no victims lost funds during this specific campaign sent by the threat actor,” the foundation noted.
The foundation also discovered that the hacker had uploaded a database containing email addresses that were not part of the Foundation’s subscribers list. As a result, several users who have not subscribed have also received the scam email.
The attacker also exported the “blog mailing list email addresses” containing 3,759 email addresses. However, the list contained only 81 email addresses, and the rest were “duplicate addresses.”
As such, it was estimated that the attack compromised the email addresses of 81 subscribers.
Meanwhile, the foundation has also reached out to several wallet providers, blacklists, and DNS provider Cloudflare urging these platforms to warn users if they are redirected to the malicious website.
The cryptocurrency industry is no stranger to phishing schemes via email.
In early June, several key crypto figures warned of a prominent email vendor being compromised and users receiving scams promoting fake airdrops. Prior to that, the email addresses of several prominent crypto-related entities were used to send phishing emails.