Fraudsters stole over $580,000 in crypto by sending phishing emails through the addresses of major Web3 companies. Among victims are users of WalletConnect, Cointelegraph, De.Fi, and Token Terminal.
An anonymous researcher and blockchain security specialist known under the pseudonym ZachXBT reported a large-scale phishing attack. He said scammers sent emails with malicious links and stole ~$580,000 in crypto.
Scam victims report that the phishing link was attached to emails from large Web3 companies, namely:
- Cointelegraph users received emails with information about the company’s tenth anniversary celebration and invitations to participate in an exclusive airdrop for “the most loyal subscribers.”
- WalletConnect users received invitations to take part in an “extraordinary” airdrop created in collaboration with Web3Inbox;
- phishing links also came with announcing a fake beta launch of Token Terminal’s access and inviting users to participate in an airdrop for “community members only”;
- users of the antivirus app De.Fi received emails inviting them to join “cutting-edge opportunities” via Launchpad.
According to Cointelegraph, hackers exploited MailerLite, an email marketing service, to access company addresses. Jess Houlgrave, COO at WalletConnect, confirmed that the hackers used the company’s actual address to send the emails. Although the company wasn’t using MailerLite’s services at the time of the attack, the hackers used pre-existing DNS records.
MailerLite is currently investigating the incident. According to Hudson Rock analysts, the hackers gained access to a computer belonging to a company employee. By installing the CRYPTBOT Infostealer malware program, the hackers accessed MailerLite’s servers. Blockaid analysts said the hackers used the same malware during the Ledger Connect Kit attack in December 2023. Analysts found that hackers are using Skype and Telegram and Google Ads to distribute phishing links.