On 2024-06-23, 00:19 AM UTC, a deceptive email was dispatched to 35,794 email addresses by updates@blog.ethereum.org containing the following information
Individuals who clicked the link in the email were redirected to a harmful website:
This website operated a crypto drainer in the background, and if a user opened their wallet and approved the transaction requested by the website, their wallet would have been compromised.
Our internal security group promptly initiated an inquiry to help ascertain who perpetrated the attack, what the intent was, when it occurred, who was impacted, and the methods used.
Some of the preliminary measures taken were:
- Stopped the threat actor from dispatching further emails.
- Issued alerts via Twitter and email advising not to click the suspicious link.
- Shut down the unauthorized access route utilized by the threat actor to infiltrate the mailing list provider.
- Reported the malicious link to several blacklists, resulting in it being blocked by most web3 wallet providers and Cloudflare.
Our investigation into the incident revealed that:
- The threat actor had uploaded their own extensive email list into the mailing list platform for the phishing scheme.
- The threat actor extracted the email addresses from the blog mailing list, totaling 3759 addresses.
- Upon comparing the emails in the list imported by the threat actor, it was evident that the blog mailing list contained 81 email addresses unknown to the threat actor, with the remainder being duplicates.
- An analysis of on-chain transactions associated with the threat actor from the time they launched the email campaign until the malicious domain was blocked shows that no victims lost funds during this particular campaign.
As we continue to address this occurrence, we have implemented further safeguards, including transitioning some mailing services to different providers, to further mitigate the risk of recurrence.
We sincerely apologize for this incident and are collaborating effectively with both our internal security team and external partners to more comprehensively address and investigate this matter.
Any inquiries can be directed to security@ethereum.org.
