Web3 Phishing: A Timeline of Mass Attacks

A major phishing campaign targeted users of various Web3 protocols, resulting in over $580,000 in cryptocurrency losses. The scammers sent emails from the official email addresses of popular Web3 platforms like WalletConnect, TokenTerminal, Social.Fi, De.Fi, and even Cointelegraph. Here’s a breakdown of how the events unfolded:

At 10:03 am UTC, WalletConnect confirmed that its users were receiving fraudulent emails. The email claimed to be from WalletConnect and urged recipients to click on a link for an airdrop. However, WalletConnect made it clear that they did not send these emails and that the link led to a malicious website. They joined forces with the blockchain security firm Blockcaid to investigate the breach of their email domain.

Just eight minutes later, Cointelegraph got an alert on Telegram that scam emails were being sent from their official email address. Cointelegraph staff members also reported receiving the malicious emails. The emails promised a “10th Anniversary Web3 Exclusive Airdrop” and directed recipients to a malicious Web3 protocol. Cointelegraph’s IT department was immediately notified, and they contacted their email provider, MailerLite, to address the issue. They promptly blocked the malicious links to prevent further damage. Cointelegraph alerted their followers on social media platforms about the phishing attempt and warned against clicking any suspicious links.

Around 11 am, Cointelegraph found out about WalletConnect’s report and launched their own investigation. They reached out to Blockcaid for more information. Additionally, a Telegram user named ZachXBT disclosed that the phishing attack targeted not only Cointelegraph but also WalletConnect, Token Terminal, and De.Fi.

At 11:41 am, Cointelegraph reported the cyber attack, and by noon, they published an article about the extensive phishing campaign affecting multiple websites and protocols. The attackers managed to steal over $580,000 worth of cryptocurrency at the time of the report.

At 1:34 pm, cybersecurity service Hudson Rock released a report suggesting that malware had been discovered on a MailerLite employee’s PC. Hudson Rock speculated that this malware provided access to MailerLite servers, potentially explaining the phishing campaign. Cointelegraph included this information in their coverage.

By 4:55 pm, Blockcaid issued a report sharing the results of their investigation. They claimed that the attacker exploited a vulnerability in MailerLite’s email service to impersonate various web3 companies, resulting in losses exceeding $600,000. MailerLite was conducting its own investigation into the matter at the time of publication.

In summary, this phishing campaign targeted Web3 protocol users, leading to substantial cryptocurrency losses. The attackers utilized official email addresses to deceive recipients and stole funds by leveraging a vulnerability in MailerLite’s email service. Investigations by companies like WalletConnect, Cointelegraph, and cybersecurity firms like Blockcaid and Hudson Rock shed light on the nature of the attack and its potential origins.