Cointelegraph, others sent phishing emails in presumed hack

Crypto data and news providers Cointelegraph, WalletConnect, Token Terminal, and De.Fi email addresses are sending phishing emails.

In a Jan. 23 Telegram post, pseudonymous blockchain sleuth ZachXBT warned emails from domains under the legitimate domains of those companies. Data gathered from blockchain analytics service Arkham Intelligence shows that the address received hundreds of transactions, with nearly all activity starting on Jan. 23. Etherscan data shows 80 transactions just on Ethereum (ETH).

$580,000 has been drained so far.

ZachXBT | Investigations by ZachXBT Telegram channel

Visualization of the transactions that reached the phishing address since Jan. 23 | Source: Arkham IntelligenceSo far, it is unclear how the attacker could send messages that appear to come from the aforementioned organizations. Multiple hacking techniques may have been employed by the entity behind the phishing attack.

One tactic is email spoofing, where attackers forge the email header to make the message seem like it’s from a legitimate source. In this scenario, the attacker could have altered the “from” field in the emails to mimic the legitimate domains of the cited companies. However, this approach is usually thwarted by modern email services unless the attacker compromises the DNS records.

Another plausible method is the compromise of the companies’ email servers. Gaining access to these servers would enable the attackers to send emails that genuinely come from the companies’ addresses. Alternatively, the attackers might have accessed individual employee email accounts within these organizations.

This can be done through phishing, malware, or using credentials from other data breaches. Having control over an employee’s email account allows the attacker to send emails that seem to come from that individual.

Lastly, a breach in the security of third-party email service providers used by these companies could also explain the situation. In this case, the attackers would have targeted the service providers rather than the companies, enabling them to send emails from legitimate addresses.

At this point, it is unknown what method the attacker employed if any of the ones listed were used. In the meantime, Cointelegraph issued a warning article to its readers, and the Etherscan page for the address also includes a phishing scam disclaimer.

WalletConnect took to X to explain that the company is aware of the phishing campaign promoting a fake airdrop. The company confirmed that its employees or affiliates did not send the email directly and is collaborating with crypto hack protection service Blockaid.

While we continue to better understand the situation further, we urge anyone who has received this email not to interact with it whatsoever.

WalletConnect | X

Cointelegraph similarly announced in an X post that the company is “aware of scammers impersonating Cointelegraph.” The company reiterated that it does not issue airdrops.

Please don’t respond or click on any links sent in your DM/E-MAIL by anyone claiming to be part of the Cointelegraph team.

Cointelegraph | X

Token Terminal and De.Fi have issued similar warnings, with the latter attributing the incident to MailerLite — the mail service provider used by the company. The firm explained that the other emails were likely sent the same way.

Unfortunately, it seems like MailerLite was also used by WalletConnect, Cointelegraph & Token Terminal which have also become victims of this.

De.Fi | X