In January 2024, a phishing scam targeted users of web3 companies, including Wallet Connect, CoinTelegraph, Token Terminal, and De.Fi. The attackers used official email addresses to send fraudulent emails containing links to malicious sites. This sophisticated phishing campaign aimed to steal funds from thousands of crypto wallets.
The initial phishing email sent from a Wallet Connect-linked email address offered users an opportunity to claim an airdrop by clicking on a provided link. However, this link redirected users to a malicious site, as confirmed by Wallet Connect. It was evident that this email was not issued by the Wallet Connect team or any authorized personnel.
The phishing attack quickly expanded to include other web3 companies, as highlighted by a community alert from crypto sleuths. CoinTelegraph, Token Terminal, and De.Fi team emails were compromised, indicating the scale and sophistication of the campaign. Tragically, it was reported that around $580,000 had already been stolen by the time of the alert.
Blockaid, a web3 security and privacy firm, was engaged by Wallet Connect to further investigate the attack. They revealed that the attacker exploited a vulnerability in the email service provider MailerLite to impersonate web3 companies. By utilizing official email addresses, the attackers successfully deceived users into opening the malicious links.
Email phishing scams are unfortunately commonplace among cyber scammers, leading users to be cautious of suspicious links and emails. Most companies and entities advise against opening links that do not originate from their official channels. In this case, the attackers exploited the trust users had in emails from these web3 companies due to their official email addresses.
The compromise allowed the attacker to send convincing emails that appeared legitimate, but contained malicious links leading to wallet-draining websites. These links directed users to various malicious decentralized applications (dApps) affiliated with the Angel Drainer Group infrastructure. Blockaid explained that the attackers capitalized on previously provided data to MailerLite, utilizing pre-existing DNS records associated with these companies.
The attackers cleverly used “dangling dns” records, which remained active even after the closure of their MailerLite accounts. This allowed them to claim and impersonate these inactive accounts to further their phishing campaign. The phishing attack highlighted the importance of promptly closing accounts and removing associated DNS records to mitigate such risks.
An email from MailerLite shed light on how the compromise originated. It was determined that a member of their customer support team inadvertently initiated the compromise. The team member unknowingly clicked on an image linked to a fraudulent Google sign-in page while responding to a customer inquiry. Through this action, the team member unwittingly provided their credentials, allowing the attacker access to their account.
The breach was inadvertently authenticated by the team member when they confirmed the access attempt on their mobile phone. This authentication granted the attackers entry into MailerLite’s internal admin panel, where they proceeded to reset the password of a specific user. This unauthorized control enabled them to access 117 accounts, with a focus on cryptocurrency-related accounts for their phishing campaign.
An analysis conducted by an anonymous Reddit user unveiled the extent of the stolen funds and provided insights into the attacker’s transactions. The analysis revealed that one victim’s wallet had lost approximately 2.64 million worth of XB Tokens. The phishing wallet associated with the attack contained around 2.7 million, while another address received 518.75K.
Additionally, roughly $520,000 worth of ETH was sent to the privacy protocol Railgun. The Reddit user speculated that these funds would likely be moved through another mixer or exchange. It is worth noting that the current trading price of ETH is $2,232.92, as per the hourly chart.
The recent web3 phishing scam demonstrated the evolving tactics employed by cyber scammers to deceive users and steal their funds. This attack exploited the trust placed in official email addresses and highlighted the importance of vigilance and caution when engaging with email links.
MailerLite’s role in the compromise also serves as a reminder of the potential vulnerabilities associated with customer support interactions. Companies must implement robust security measures and educate their employees to prevent inadvertently falling victim to phishing attacks.
As the crypto industry continues to grow, it is crucial for users to remain alert, exercise caution, and conduct thorough research before engaging in any financial transactions. Phishing attacks are an unfortunate reality, and users should prioritize cybersecurity to safeguard their investments.
Leave a Reply