The Ethereum Foundation’s email system was hacked, with attackers using it for a phishing scam. After addressing vulnerabilities, the company shared details of the incident.
Representatives from the Ethereum Foundation reported a security incident that occurred on June 23, 2024. Hackers gained access to the Ethereum Foundation’s account on the SendPuls service, as disclosed by Tim Beiko, Ethereum Core Developer. As a result, emails containing phishing links were sent from “updates@ethereum.org” to 35,794 addresses.
According to the report, the attackers used their own email address database. The Ethereum Foundation’s account had a total of 3,759 addresses, with the vast majority already present in the attackers’ database, which only increased by 81 addresses post-hack.
Following the incident, the Ethereum Foundation took immediate actions, including:
- preventing additional email sends;
- notifying users via X and email about the incident, warning about fraudulent emails;
- restoring access to the SendPuls account;
- adding the malicious link distributed in the phishing emails to various blocklists, leading to its blockage by most Web3 wallet providers and Cloudflare.
Analysis of on-chain activity during the period from the start of the email campaign to the blocking of the malicious domain revealed that no users lost funds during this specific campaign.
The phishing lure involved a fictitious collaboration between the Ethereum Foundation and Lido DAO, offering users participation in an ETH, stETH, and WETH staking program with a 6.8% yield. Users were redirected from the email to the malicious website “Staking Launchpad.” The potential victim was prompted to attempt asset staking, after which a transaction would be sent to their wallet — if approved, “the wallet would have been drained.”
Phishing remains one of the most common methods of crypto fraud. A recent major example was the breach of MailerLite, an email marketing service, where hackers gained access to email addresses of major Web3 companies and used them for sending phishing emails. The total damage from the attack exceeded $580,000.