The Ethereum Foundation has disclosed a significant phishing attack targeting its blog mailing list subscribers.
The incident, which occurred on June 23, 2024, at 00:19 AM UTC, involved the unauthorized use of the Foundation's official email address to distribute malicious content to nearly 36,000 recipients.
According to the Ethereum Foundation's Operational Security team on July 2, 2024, the attack utilized the email address [email protected] to send out deceptive messages. The phishing email contained a link that directed unsuspecting users to a fraudulent website designed to drain cryptocurrency wallets.
 |
| Phishing Email |
The Foundation's security team quickly sprang into action upon discovering the breach. They immediately prevented the attacker from sending additional emails and closed the security loophole that had allowed unauthorized access to the mailing list provider. The team has also notified users through Twitter and email about the potential danger.
The Foundation submitted the malicious link to various blacklists that resulted in the link being blocked by most Web3 wallet providers and Cloudflare which significantly reduced the potential for further damage.
The Ethereum Foundation's investigation into the incident revealed several key findings:
- The attacker had imported a large external email list into the mailing list platform, which was then used for the phishing campaign.
- The threat actor managed to export 3,759 email addresses from the blog mailing list.
- A comparison of the attacker's imported list with the blog mailing list showed that only 81 email addresses were previously unknown to the attacker, with the rest being duplicates.
Despite the scale of the attack, the Foundation's analysis of on-chain transactions suggests that no victims lost funds during this specific campaign. The team has implemented additional security measures, including migrating some mail services to alternative providers.