A coordinated phishing attack targeted the cryptocurrency market, resulting in losses exceeding $580,000.
On-chain sleuth ZachXBT claims that suspicious users received emails imitating web3 businesses like CoinTelegraph, Token Terminal, and Wallet Connect.
The emails tricked users into clicking “airdrop claim” links, which were just links to websites that stole their money, even though they appeared to be from the aforementioned companies’ official addresses.
Community Alert: Phishing emails are currently being sent out that appear to be from CoinTelegraph, Wallet Connect, Token Terminal and DeFi team emails.
~$580K has been stolen so far
0xe7D13137923142A0424771E1778865b88752B3c7 pic.twitter.com/XoN65HxOYh— ZachXBT (@zachxbt) January 23, 2024
The excerpts from ZachXBT’s post demonstrated how hackers replicated the companies’ original mail templates using highly skilled methods.
ZachXBT reported the address where the pilfered funds were moved.
Mailer Lite is hacked
A subsequent investigation by web3 security company Blockaid showed that email service provider Mailer Lite hacking was the primary cause of the problem.
Hackers were able to gain unauthorized access to Mailer Lite’s system due to a vulnerability. Following that, they assumed the identities of well-known cryptocurrency-related businesses.
Today, Blockaid researchers discovered a phishing attack where an attacker was able to leverage a vulnerability in email service provider Mailer Lite to impersonate web3 companies, draining $600k+. Blockaid instantly protected millions of users and was able to safeguard $2.7M. pic.twitter.com/SvGMdB4vNZ
— Blockaid (@blockaid_) January 23, 2024
According to Blockaid, attackers took advantage of the fact that Mailer Lite had previously been permitted to send emails on behalf of these sites’ domains, enabling them to craft emails that seemed to be coming from these organizations.
Token Terminal and WalletConnect respond
The impacted businesses, whose addresses were used fraudulently, moved quickly to appease their customer base.
According to Token Terminal, they have cut off their domain from Mailer Lite. Additionally, the company erased all subscriber data to prevent future issues.
⚠️ Follow-up on the recent phishing incident involving @MailerLite, our newsletter service provider. pic.twitter.com/VbCIZJt03N
— Token Terminal (@tokenterminal) January 23, 2024
Additionally, WalletConnect informed its users that they were aggravating the situation and advised them not to respond to the email about the airdrop claim.
DeFi users were led to believe that the airdrop was a component of the introduction of modern staking options on the Launchpad of the platform.
Cointelegraph users were, however, informed that the cryptocurrency media outlet was commemorating ten years of operation. Interestingly, there was no discernible difference between the phishing attack email addresses and the real addresses of the companies impersonating them. This caused a number of the scam’s intended victims to fall for it. ZachXBT reported that users had lost $580,000 thus far.
The affected businesses issued multiple statements to warn users and disassociate themselves from the hacking attempts as word of the coordinated phishing attacks spread. Users were advised not to click on any links related to airdrops. WalletConnect clarified that they are aware of an email directing recipients to click on a link to redeem an airdrop, which seems to have been sent from an account connected to WalletConnect. They continued by saying that they could verify that the link in this email seems to take users to a malicious website and that neither WalletConnect nor any of its affiliates sent this email directly.
We’re aware of an email that appears to have been sent from an email address linked to WalletConnect prompting recipients to open a link to be able to claim an airdrop.
We can confirm that this email was not issued directly from WalletConnect or any WalletConnect affiliates, and… pic.twitter.com/bksAlMnWja
— WalletConnect (@WalletConnect) January 23, 2024
Rising reports of phishing websites are becoming a concern. This was also consistent with wallet-drainer services’ steady rise.
Airdrops were being used more and more as a tool to deplete cryptocurrency holdings. Users should exercise extra caution in these situations, and it’s always a good idea to do your homework before accepting an offer.
Other platforms that have suffered similar losses have also started surfacing. A commenter on ZachXBT’s post says, “There have been massive data breaches going around recently. And another one just the other day from Trello. So phishing emails are probably going to ramp up even more in the coming days. And please have a separate email for all crypto forms you fill out; don’t use your email.”