Phishing Attack on MyEtherWallet Steals $150,000 From Wallet Users

MyEtherWallet users are in an uproar after approximately 250 ETH, around $150,000 worth, went missing since a Domain Name System (DNS) server attack began Tuesday at noon, redirecting visitors to a phishing site.

Kosala Hemachandra, Founder and CEO of MyEtherWallet, released this comment fifteen minutes after the attack:

This redirecting of DNS servers is a decade-old hacking technique that aims to undermine the Internet’s routing system. It can happen to any organization, including large banks. This is not due to a lack of security on the @myetherwallet platform. It is due to hackers finding vulnerabilities in public-facing DNS servers.

A majority of those affected were using Google DNS servers. Affected users are likely to have clicked the “ignore” button on an SSL warning that pops up when visiting a malicious site imitating MEW. We recommend all our users to switch to Cloudflare DNS servers in the meantime.

Phishing and MEW

While this is a common hacking trick and not a reflection on MEW’s coding, it’s still costing users thousands of dollars and creating a great deal of panic. Reddit, GitHub, and Twitter have all been active with news from within the community.

DNS phishing attacks work by redirecting visitors from a legitimate website with SSL encryption to an untrusted, but often virtually identical, site where hackers ask for your private data in order to steal your funds.

While we don’t know where funds are being ultimately transferred to, the address 0x1d50588C0aa11959A5c28831ce3DC5F1D3120d29 has received nearly 180 transactions since this morning, sending 250 Ether to the address 0x68ca85dbf8eba69fb70ecdb78e0895f7cd94da83. The image below shows a total of 250 Ether moving in and out of the Ethereum address linked to the phishing heist, and Etherscan has also flagged this additional address – now showing a zero balance – for its role in the heist.

The community has been quick to investigate the source of the attack. A Discord user quickly found the Google DNS responsible.

Another community member investigating the hack, Mohammed Jabir, tracked down the stolen ETH for sale on an Arabic crypto forum and translated it in his Twitter post shown below. MEW has issued steps for making sure one’s wallet is safe, including the suggestion to run it offline from a GitHub download straight from the MEW team.

When these kinds of security breaches happen, they greatly reduce trust, even when they aren’t because of something the wallet site has done. Though there’s a great deal of evidence that the community has banded together to help one another avoid these situations, many are soliciting advice for other wallet storage options aside from MEW.

Just a week ago, Kosala Hemachandra announced exciting plans for the MEW team in our exclusive interview. Today, the burden is on them to show a thoughtful response that will eliminate these types of security risks to users.

In the wake of all this controversy, many are wondering if the attackers will also target other sites. Cloudflare posted an excellent summary of the day’s events and the parties which are all partially responsible for this scam:

Events like these are a reminder that cryptocurrency still has many elements of the Wild West and that hackers are lured by this setup, pushing us to seek greater security wherever possible. Always remember to check for anything out of the ordinary, whether it’s a certificate missing or a domain name that’s slightly off.