Web3 protocol mass phishing campaign timeline


On Jan. 23. the users of multiple Web3 protocols were hit with a mass phishing campaign by scammers. Over $580,000 worth of crypto has been lost in the attack so far, which used emails sent from the official email addresses of Web3 protocols WalletConnect, TokenTerminal, Social.Fi, and De.Fi, as well as Cointelegraph.

Here is a timeline of what happened:

10:03 am UTC: WalletConnect announces that its users have been receiving malicious emails. “We’re aware of an email that appears to have been sent from an email address linked to WalletConnect prompting recipients to open a link to be able to claim an airdrop,” the announcement states. “We can confirm that this email was not issued directly from WalletConnect or any WalletConnect affiliates, and that the link appears to lead to a malicious site.”

The WalletConnect team claims that it is working with blockchain security firm Blockcaid to determine how the attacker has gained access to the team’s email domain. Blockaid subsequently shares the report from its own X account.

10:11 am UTC: Cointelegraph receives an alert on Telegram that its official email address is sending out scam emails to subscribers. Cointelegraph staff also started to report internally that they had received the malicious email. The mail (screenshot below) claims to be a “10th Anniversary Web3 Exclusive Airdrop” and links to a malicious Web3 protocol.

Malicious email sent from Cointelegraph’s official email address. Source: Cointelegraph writer.

The Cointelegraph  IT department was immediately alerted to the problem, who in turn contacted their email provider, MailerLite, in an attempt to the cause. Meanwhile, Cointelegraph’s IT team successfully blocked the malicious links, preventing them from being sent out to anyone else.

Cointelegraph also posts to X and other social media platforms warning that it is not promoting an airdrop, and that users should not click links from emails claiming otherwise.

Approximately 11 am: Cointelegraph becomes aware of the WalletConnect report and begins an investigation. It contacts Blockcaid in an attempt to gain more information. Soon after, ZachXBT reports on Telegram that the phishing attack is coming from “CoinTelegraph, WalletConnect, Token Terminal, and De.Fi.”

11:41 am: Cointelegraph reports the hack

Approximately noon: Cointelegraph posts a report on the widespread phishing campaign, which is now affecting at least five different websites and protocols. Over $580,000 worth of crypto had been stolen through the attack by the time of the report.

1:34 pm: Cybersecurity service Hudson Rock releases a report claiming that it discovered malware on a PC belonging to an employee of email service MailerLite, the same email service used by all of the websites that have sent out the malicious emails. Hudson Rock theorizes that this malware may have allowed the attacker to gain access to MailerLite servers, which may explain how the phishing campaign occurred. Cointelegraph updated coverage to include Hudson Rock’s claims.

According to the report, “Hudson Rock researchers identified a recently infected computer of a MailerLite employee with accesses to sensitive URLs within MailerLite & its third parties.” The computer had access to login credentials for the URL, https://admin.mailerlite.com/admin, which appears to be the login page for MailerLite employees.

In addition, the PC contained valid cookies for Slack.com and Office365, which could have been used to perform session hijacks to obtain private information. The cybersecurity firm claims to have obtained an image of the user’s desktop at the time the attack happened, and this image “reveals that they were compromised when trying to execute an infected software.”

Alleged image of MailerLite employee’s PC at the moment of attack. Source: Hudson Rock.

Hudson Rock cautioned that this evidence does not prove that the phishing campaign was caused by this malware infection, as they stated that “it is uncertain whether MailerLite suffered an exploit or not.” However, the evidence “illustrates how a single infostealer infection could be detrimental to any company” and provides a plausible hypothesis for how the phishing campaign may have been possible.

4:55 pm: Blockaid releases a report on the results of its investigation. It claims that the attacker “was able to leverage a vulnerability in email service provider Mailer Lite to impersonate web3 companies, draining $600k+.” 

Email service provider MailerLite has responded to Cointelegraph’s inquiries, stating that it is currently carrying out its own investigation. At the time of publication, it had not yet provided its report.