Ethereum Foundation Mailing List Phishing

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 15:55, 18 September 2024 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/ethereumfoundationmailinglistphishing.php}} {{Unattributed Sources}} thumb|Ethereum Foundation Logo/HomepageLate in the afternoon of June 22nd, an email was sent to 35,794 people, including at least 3,759 email addresses from the Ethereum Foundation's mailing list. The email offered respondents 6.8% APY return from staking in the Lido protocol through a p...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Ethereum Foundation Logo/Homepage

Late in the afternoon of June 22nd, an email was sent to 35,794 people, including at least 3,759 email addresses from the Ethereum Foundation's mailing list. The email offered respondents 6.8% APY return from staking in the Lido protocol through a partnership with the Ethereum Foundation. There was no push for urgency or limited time offer in the email, and the Ethereum Foundation notified users of the phishing with a follow up email shortly thereafter. Blockchain analysis shows that no users have fallen for the attack, and no funds were lost.[1][2][3][4][5][6][7][8][9]

About Ethereum Foundation

"The Ethereum Foundation(opens in a new tab) (EF) is a non-profit organization dedicated to supporting Ethereum and related technologies.

The EF is not a company, or even a traditional non-profit. Their role is not to control or lead Ethereum, nor are they the only organization that funds critical development of Ethereum-related technologies. The EF is one part of a much larger ecosystem."

"Our vision for Ethereum is the Infinite Garden. Ethereum is more than a technology, it is a diverse ecosystem of individuals and organizations that build and grow alongside a protocol. The Ethereum ecosystem wasn't something that was designed by any one individual or organization, but it organically evolved with the support of people who nurture the ecosystem to become more vibrant and diverse."

"We are proudly bringing the Ethereum community an innovative and secure way to stake with Lido."

"Now, you can earn a remarkable 6.8% APY on your stETH, wETH, or ETH deposits, all while enjoying the peace of minde that comes with best in blass security."

"This collaboration harnesses the strengths of both organizations to deliver deep liquidity and competitive rewards, enhancing your staking experience with over 100+ integrations. Together, we are selling a new standard for decentralized finance, providing a secure, transparent, and resilient protocol that empowers the Ethereum community like never before."

"Protected and Verified by the Ethereum Foundation" "Over 100+ integrations" "Best in-clas ssecurity" "Transparent and Resilient Protocol"

"This is just the beginning. We are committed to delivering a seamless and rewarding experience for all Ethereum users, and we are excited to continue building the future of decentralized finance together."

"Join us in this exciting new chapter of Ethereum's journey."

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

"The attack occurred on the night of June 23 when an email was sent from the address ‘updates@blog.ethereum.org' to 35,794 addresses."

Key Event Timeline - Ethereum Foundation Mailing List Phishing
Date Event Description
June 22nd, 2024 6:19:00 PM MDT Email Phishing Campaign The email phishing campaign sends to thousands of recipients.
June 22nd, 2024 7:47:00 PM MDT Account Hack Tweet Tim Beiko of the Ethereum Foundation notifies that is appears the mailing list provider may have been compromised and includes a screenshot of the email which was received.
June 22nd, 2024 7:55:00 PM MDT Nansen Address Used User reports that their Nansen email address was used for the phishing attack.
June 22nd, 2024 9:41:00 PM MDT Account Locked Down The Ethereum Foundation updates Twitter to indicate that they believe they've locked down the account, they sent an update to all subscribers warning them about the phishing link, and
June 25th, 2024 4:52:00 AM MDT SendPulse Investigation Tweet SendPulse shares an update to indicate that the email was snet through a Google Workspace account, and not any of the SendPulse infrastructure.
July 2nd, 2024 Ethereum Foundation Blog Post The Ethereum Foundation shares a blog post with details of the phishing campaign and their investigation.
July 4th, 2024 10:17:29 AM MDT Bleeping Computer Article Bleeping Computer shares an article on the phishing attack.

Technical Details

"In June, a threat actor compromised Ethereum's mailing list provider and sent to over 35,000 addresses a phishing email with a link to a malicious site running a crypto drainer."

"The results of the investigation into the incident involving unauthorized access to the Ethereum Foundation account show that a Google Workspace account was used for the breach. There is no evidence that the SendPulse infrastructure or other users’ accounts were compromised."

"Ethereum says that the threat actor used a combination of their own email address list and an additional 3,759 exported from the platform's blog mailing list. However, only 81 of the exported addresses were previously unknown to the attacker."

Total Amount Lost

"On-chain transaction analysis showed that none of the email recipients fell for the trap during the campaign."

No funds were lost.

Immediate Reactions

"Ethereum disclosed the incident in a blog post and said that it had no material impact on users."

"it seems like the mailing list provider the EF uses for "updates@ethereum.org" has been compromised. We are currently trying to reach @SendPulseCom to resolve the issue. Please don't click any links sent from that email."

"Ethereum says that its internal security team launched an investigation as soon as possible to identify the attacker, understand the attack's purpose, determine the timeline, and identify the affected parties.

The attacker was quickly blocked from sending more emails and Ethereum took to Twitter to notify the community about the malicious emails, warning everyone not to click the link.

Ethereum also submitted the malicious link to various blocklists, which led to it being blocked by most Web3 wallet providers and Cloudflare."

Ultimate Outcome

"Ethereum concludes by saying it has taken additional measures and is migrating some email services to other providers to prevent such an incident from happening again."

"The results of the investigation into the incident involving unauthorized access to the Ethereum Foundation account show that a Google Workspace account was used for the breach. There is no evidence that the SendPulse infrastructure or other users’ accounts were compromised."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Crypto's Achilles' Heel (Accessed Jul 12, 2024)
  2. Ethereum Foundation | ethereum.org (Accessed Jul 12, 2024)
  3. https://ethereum.foundation/ (Accessed Jul 12, 2024)
  4. https://ethereum.foundation/infinitegarden (Accessed Jul 12, 2024)
  5. @TimBeiko Twitter (Accessed Jul 12, 2024)
  6. @SendPulseCom Twitter (Accessed Jul 12, 2024)
  7. @TimBeiko Twitter (Accessed Jul 12, 2024)
  8. @fivedogit Twitter (Accessed Jul 12, 2024)
  9. Ethereum mailing list breach exposes 35,000 to crypto draining attack (Accessed Jul 12, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Ethereum_Foundation_Mailing_List_Phishing&oldid=6111"