Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/ethereumfoundationmailinglistphishing.php}} {{Unattributed Sources}} Ethereum Foundation Logo/HomepageLate in the afternoon of June 22nd, an email was sent to 35,794 people, including at least 3,759 email addresses from the Ethereum Foundation's mailing list. The email offered respondents 6.8% APY return from staking in the Lido protocol through a p..."

2024-09-18T21:55:47Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/ethereumfoundationmailinglistphishing.php}} {{Unattributed Sources}} thumb|Ethereum Foundation Logo/HomepageLate in the afternoon of June 22nd, an email was sent to 35,794 people, including at least 3,759 email addresses from the Ethereum Foundation's mailing list. The email offered respondents 6.8% APY return from staking in the Lido protocol through a p..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/ethereumfoundationmailinglistphishing.php}}
{{Unattributed Sources}}

[[File:Ethereumfoundation.jpg|thumb|Ethereum Foundation Logo/Homepage]]Late in the afternoon of June 22nd, an email was sent to 35,794 people, including at least 3,759 email addresses from the Ethereum Foundation's mailing list. The email offered respondents 6.8% APY return from staking in the Lido protocol through a partnership with the Ethereum Foundation. There was no push for urgency or limited time offer in the email, and the Ethereum Foundation notified users of the phishing with a follow up email shortly thereafter. Blockchain analysis shows that no users have fallen for the attack, and no funds were lost.<ref name="rektnews-14663" /><ref name="ethereum-14664" /><ref name="ethereum-14665" /><ref name="ethereum-14666" /><ref name="timbeikotwitter-14667" /><ref name="sendpulsecomtwitter-14668" /><ref name="timbeikotwitter-14669" /><ref name="fivedogittwitter-14670" /><ref name="bleepingcomputer-14671" />

== About Ethereum Foundation ==
"The Ethereum Foundation(opens in a new tab) (EF) is a non-profit organization dedicated to supporting Ethereum and related technologies.

The EF is not a company, or even a traditional non-profit. Their role is not to control or lead Ethereum, nor are they the only organization that funds critical development of Ethereum-related technologies. The EF is one part of a much larger ecosystem."

"Our vision for Ethereum is the Infinite Garden. Ethereum is more than a technology, it is a diverse ecosystem of individuals and organizations that build and grow alongside a protocol. The Ethereum ecosystem wasn't something that was designed by any one individual or organization, but it organically evolved with the support of people who nurture the ecosystem to become more vibrant and diverse."

"We are proudly bringing the Ethereum community an innovative and secure way to stake with Lido."

"Now, you can earn a remarkable 6.8% APY on your stETH, wETH, or ETH deposits, all while enjoying the peace of minde that comes with best in blass security."

"This collaboration harnesses the strengths of both organizations to deliver deep liquidity and competitive rewards, enhancing your staking experience with over 100+ integrations. Together, we are selling a new standard for decentralized finance, providing a secure, transparent, and resilient protocol that empowers the Ethereum community like never before."

"Protected and Verified by the Ethereum Foundation" "Over 100+ integrations" "Best in-clas ssecurity" "Transparent and Resilient Protocol"

"This is just the beginning. We are committed to delivering a seamless and rewarding experience for all Ethereum users, and we are excited to continue building the future of decentralized finance together."

"Join us in this exciting new chapter of Ethereum's journey."

== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:

* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.

== What Happened ==
"The attack occurred on the night of June 23 when an email was sent from the address ‘updates@blog.ethereum.org' to 35,794 addresses."
{| class="wikitable"
|+Key Event Timeline - Ethereum Foundation Mailing List Phishing
!Date
!Event
!Description
|-
|June 22nd, 2024 6:19:00 PM MDT
|Email Phishing Campaign
|The email phishing campaign sends to thousands of recipients.
|-
|June 22nd, 2024 7:47:00 PM MDT
|Account Hack Tweet
|Tim Beiko of the Ethereum Foundation notifies that is appears the mailing list provider may have been compromised and includes a screenshot of the email which was received.
|-
|June 22nd, 2024 7:55:00 PM MDT
|Nansen Address Used
|User reports that their Nansen email address was used for the phishing attack.
|-
|June 22nd, 2024 9:41:00 PM MDT
|Account Locked Down
|The Ethereum Foundation updates Twitter to indicate that they believe they've locked down the account, they sent an update to all subscribers warning them about the phishing link, and
|-
|June 25th, 2024 4:52:00 AM MDT
|SendPulse Investigation Tweet
|SendPulse shares an update to indicate that the email was snet through a Google Workspace account, and not any of the SendPulse infrastructure.
|-
|July 2nd, 2024
|Ethereum Foundation Blog Post
|The Ethereum Foundation shares a blog post with details of the phishing campaign and their investigation.
|-
|July 4th, 2024 10:17:29 AM MDT
|Bleeping Computer Article
|Bleeping Computer shares an article on the phishing attack.
|}

== Technical Details ==
"In June, a threat actor compromised Ethereum's mailing list provider and sent to over 35,000 addresses a phishing email with a link to a malicious site running a crypto drainer."

"The results of the investigation into the incident involving unauthorized access to the Ethereum Foundation account show that a Google Workspace account was used for the breach. There is no evidence that the SendPulse infrastructure or other users’ accounts were compromised."

"Ethereum says that the threat actor used a combination of their own email address list and an additional 3,759 exported from the platform's blog mailing list. However, only 81 of the exported addresses were previously unknown to the attacker."

== Total Amount Lost ==
"On-chain transaction analysis showed that none of the email recipients fell for the trap during the campaign."

No funds were lost.

== Immediate Reactions ==
"Ethereum disclosed the incident in a blog post and said that it had no material impact on users."

"it seems like the mailing list provider the EF uses for "updates@ethereum.org" has been compromised. We are currently trying to reach @SendPulseCom to resolve the issue. Please don't click any links sent from that email."

"Ethereum says that its internal security team launched an investigation as soon as possible to identify the attacker, understand the attack's purpose, determine the timeline, and identify the affected parties.

The attacker was quickly blocked from sending more emails and Ethereum took to Twitter to notify the community about the malicious emails, warning everyone not to click the link.

Ethereum also submitted the malicious link to various blocklists, which led to it being blocked by most Web3 wallet providers and Cloudflare."

== Ultimate Outcome ==
"Ethereum concludes by saying it has taken additional measures and is migrating some email services to other providers to prevent such an incident from happening again."

"The results of the investigation into the incident involving unauthorized access to the Ethereum Foundation account show that a Google Workspace account was used for the breach. There is no evidence that the SendPulse infrastructure or other users’ accounts were compromised."

== Total Amount Recovered ==
There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="rektnews-14663">[https://rekt.news/cryptos-achillesheel/ Rekt - Crypto's Achilles' Heel] (Accessed Jul 12, 2024)</ref>

<ref name="ethereum-14664">[https://ethereum.org/en/foundation/ Ethereum Foundation | ethereum.org] (Accessed Jul 12, 2024)</ref>

<ref name="ethereum-14665">[https://ethereum.foundation/ https://ethereum.foundation/] (Accessed Jul 12, 2024)</ref>

<ref name="ethereum-14666">[https://ethereum.foundation/infinitegarden https://ethereum.foundation/infinitegarden] (Accessed Jul 12, 2024)</ref>

<ref name="timbeikotwitter-14667">[https://twitter.com/TimBeiko/status/1804721462407725441 @TimBeiko Twitter] (Accessed Jul 12, 2024)</ref>

<ref name="sendpulsecomtwitter-14668">[https://twitter.com/SendPulseCom/status/1805554639036658057 @SendPulseCom Twitter] (Accessed Jul 12, 2024)</ref>

<ref name="timbeikotwitter-14669">[https://twitter.com/TimBeiko/status/1804693090944553186 @TimBeiko Twitter] (Accessed Jul 12, 2024)</ref>

<ref name="fivedogittwitter-14670">[https://twitter.com/fivedogit/status/1804694756435407236 @fivedogit Twitter] (Accessed Jul 12, 2024)</ref>

<ref name="bleepingcomputer-14671">[https://www.bleepingcomputer.com/news/security/ethereum-mailing-list-breach-exposes-35-000-to-crypto-draining-attack/ Ethereum mailing list breach exposes 35,000 to crypto draining attack] (Accessed Jul 12, 2024)</ref></references>

Ethereum Foundation Mailing List Phishing - Revision history