MailerLite confirms hack that led to $3.3M crypto-phishing email attacks

0


Email marketing firm MailerLite has confirmed that hackers gained access to accounts of large Web3 companies to carry out phishing email scams that drained an estimated $3.3 million from subscribers.

Cointelegraph was among a handful of Web3 companies targeted in the Jan. 23 attack, with emails sent from the official accounts of WalletConnect, Token Terminal and De.Fi containing malicious links harboring wallet-draining software.

A screenshot of MailerLite’s incident report outlining how attackers targeted a customer support employee to gain control of Web3 email addresses. Source: MailerLite

Hours after the emails had been sent to subscribers, MailerLite released details of how its system had been compromised through a social engineering attack targeting a customer support employee. 

“The team member, responding to a customer inquiry via our support portal, clicked on an image that was deceptively linked to a fraudulent Google sign-in page,” the statement outlined.

The employee then unwittingly authenticated access, which gave the attackers access to MailerLite’s internal admin panel. The hackers gained further control by resetting a specific user’s password through the admin panel.

“With this level of access, they were able to impersonate user accounts. The focus was exclusively on cryptocurrency-related accounts.”

MailerLite revealed that the hackers accessed 117 accounts but only exploited a small number to launch phishing campaigns. The service provider warned that its clients’ and subscribers’ data, including full names, email addresses and personal information uploaded to MailerLite, were affected.

Cointelegraph reached out to MailerLite’s support team and has yet to receive any additional information about the incident despite being a prominent target of the phishing email scam.

Cointelegraph’s correspondence with MailerLite’s support team. Source: Cointelegraph

Blockchain analytics platform Nansen assisted Cointelegraph in estimating the value of funds stolen by the attackers. According to its research team, the main phishing wallet has seen $3.3 million of total inflows by tracking token flows on Nansen-supported blockchains.

“But $2.6 million of that number is Xbanking tokens, which seem to be trading on Latoken exchange only (via CoinGecko). And seem less liquid. 2.6 million is 80% of its full diluted valuation, and it could be hard to convert it,” Nansen’s team told Cointelegraph.

Related: Man and machine: Nansen’s analytics slowly labeling worldwide wallets

Subtracting the Xbanking (XB) tokens from the total funds stolen, Nansen narrows down the amount of funds stolen that are more easily convertible to be worth $700,000.

A detailed thread on Reddit from an anonymous user also arrived at a similar estimate of the total funds stolen through the incident. Nansen corroborated the findings, which included mention of XB tokens.

Blockchain analytics and visualization software shows the transfer of stolen funds to Railgun. Source: Reddit/jbtravel84

Both Nansen and the Reddit post highlight that the attackers used the privacy protocol Railgun to obfuscate the transfer of stolen tokens. The system is a privacy solution built directly on-chain for Ethereum, BNB Chain, Polygon and Arbitrum, which uses zero-knowledge cryptography to enable the private use of smart contracts and decentralized finance protocols.

Magazine: Blockchain detectives: Mt. Gox collapse saw birth of Chainalysis