$600,000 lost in cryptocurrency wallet due to ignored phishing attack

On January 23, Wallet Connect and other web3 companies notified users about a phishing scam that was using email addresses from official web3 companies to steal funds from thousands of cryptocurrency wallets.

Massive phishing campaign

Wallet Connect uses X to notify the community about approved emails sent from email addresses associated with Wallet Connect. The email encouraged recipients to open a link to claim the airdrop, but the link led to a malicious site and, as confirmed by Wallet Connect, was not issued directly by the team or anyone involved. Wallet Connect contacted web3 security and privacy company Blockaid to further investigate the phishing scam.

We have detected a sophisticated phishing attack using identity theft. @WalletConnect Via fake emails linking to malicious dapps.

Blockaid supported wallets are safe: https://t.co/quz9olGrpZ pic.twitter.com/TYS0BjIk2J

— Block Aid (@blockaid_) January 23, 2024

Next time, cryptocurrency detective Posted CoinTelegraph, Token Terminal, and De.Fi team emails have also been compromised, with community alerts notifying unwitting users that a larger, more sophisticated phishing campaign is taking place. At the time of publishing, approximately $580,000 had been stolen.

After investigating, Blockaid later revealed that the attackers “were able to impersonate a web3 company by leveraging a vulnerability in email service provider MailerLite.”

Email phishing scams are common among cyber fraudsters, so users should be wary of the most suspicious links or emails. At the same time, companies and organizations are advised not to open links that do not come from official channels. In this case, because the malicious link came from the company’s official email address, the attacker was able to fool numerous users of the company.

This compromise allowed attackers to send persuasive emails with malicious links attached to wallet-draining websites. Specifically, this link led to several malicious dApps leveraging Angel Drainer Group infrastructure.

As Bloackaid explains, the attackers took advantage of data previously provided to Mailer Lite because they had previously been given access by these companies to send emails on behalf of these sites’ domains. It is specifically detailed using existing DNS records. Thread:

Specifically, they used “dangling DNS” records created and associated with Mailer Lite (previously used by these companies). Even after an account is closed, these DNS records remain active, providing an opportunity for attackers to claim and impersonate these accounts. pic.twitter.com/cbTpc5MXu1

— Block Aid (@blockaid_) January 23, 2024

MailerLite explains security breach

The explanation came later via email, in which MailerLite explained that its investigation revealed that a member of its customer support team had inadvertently become the initial point of compromise. As explained in the email:

A team member responding to a customer inquiry through the support portal clicked on an image that deceptively linked to a fraudulent Google sign-in page. Entering credentials there by mistake gave the perpetrator access to their account. The intrusion was inadvertently authenticated by a team member through cell phone verification, and was believed to be a legitimate access attempt. This breach allowed the perpetrators to infiltrate internal management panels.

MailerLite added that the attackers reset specific users’ passwords in the admin panel to further consolidate unauthorized control. This control gave them access to 117 accounts, of which they only focused on cryptocurrency-related accounts for their phishing campaigns.

An anonymous Reddit user posted an analysis of the situation and took a closer look at the attacker’s transactions. The user stated:

One victim wallet appears to have lost 2.64 million XB tokens. There are about 2.7M in the phishing wallet of 0xe7D13137923142A0424771E1778865b88752B3c7, and 518.75K went into 0xef3d9A1a4Bf6E042F5aaebe620B5cF327ea05d4D.

Users said most of the stolen funds were in the first phishing address. At the same time, about $520,000 worth of ETH was transferred to the privacy protocol Railgun, which he believes will soon move through other mixers or exchanges.

  ETH is trading at $2,232.92 in the hourly chart. Source: ETHUSDT on TradingView.com

Featured image from Unsplash.com, chart from TradingView.com

Disclaimer: This article is provided for educational purposes only. This does not represent NewsBTC’s opinion on whether to buy, sell or hold any investment, and of course investing carries risks. We recommend that you do your own research before making any investment decisions. Your use of the information provided on this website is entirely at your own risk.