A coordinated crypto hack and phishing campaign is targeting investors and flooding their inboxes with fake emails promoting token airdrops. 

Hackers have been impersonating several major Web3 companies, such as WalletConnect, Cointelegraph, and Token Terminal. 

An Ongoing Attack 

The unfolding events were brought to light in a tweet by on-chain investigator ZachXBT, who revealed that investors have been receiving phishing emails from multiple sources claiming to be from platforms such as full stack on-chain data platform Token Terminal, dApp and crypto wallet bridge provider, WalletConnect, decentralized finance portfolio tracker De.Fi, and crypto media house, Cointelegraph. 

“Community Alert: Phishing emails are currently being sent out that appear to be from CoinTelegraph, Wallet Connect, Token Terminal, and DeFi team emails. ~$580K has been stolen so far.”

Screenshots posted by the blockchain investigator revealed that the emails sent to investors contained offers of fake airdrops designed to lure the recipients into clicking the links in the email. All the emails were designed for the same purpose, although scammers gave several different reasons for the fake airdrops. 

Various Fake Offers 

When it came to WalletConnect, the hackers claimed the airdrops were part of a “special occasion” and to express gratitude to its community members. Meanwhile, token terminal users were told the free tokens were to celebrate a new milestone: unveiling the platform’s beta version. 

De.Fi users were made to believe the airdrop was part of the launch of innovative staking options on the platform’s Launchpad. In contrast, Cointelegraph users were told the crypto media house was celebrating its 10th anniversary. One interesting aspect to note is that the email addresses used for the phishing attacks had no noticeable difference from the genuine addresses of the impersonated companies. This led to several intended victims falling for the scam. ZachXBT stated that so far, $580,000 had been stolen from users. 

Firms Warn Users

As news regarding the coordinated phishing attacks began spreading, the impacted companies released several statements to alert users and distance themselves from the hacking attempts. They urged users to refrain from clicking on any airdrop link. WalletConnect, in its clarification, stated, 

“We’re aware of an email that appears to have been sent from an email address linked to WalletConnect, prompting recipients to open a link to be able to claim an airdrop. We can confirm that this email was not issued directly from WalletConnect or any WalletConnect affiliates and that the link appears to lead to a malicious site.”

Meanwhile, Cointelegraph issued a scam alert and stated it does not issue airdrops. Taking to social media platform X, the crypto media house stated, 

“We’ve been made aware of scammers impersonating Cointelegraph. Cointelegraph does not issue airdrops. Please don’t respond or click on any links sent in your DM/E-MAIL by anyone claiming to be part of the Cointelegraph team.”

Token Terminal also confirmed that the email was fake. 

Root Of The Problem 

With investigations ongoing, De.Fi has discovered that the entire issue occurred due to Mailer Lite. Mailer Lite is an email service provider also used by the other companies impacted by the hack. De.Fi stated it was already in the process of moving its databases to another provider. 

“We are already moving our databases to another provider to ensure further safety of our users.”

The hacker reportedly used a vulnerability in Mailer Lite to mimic the Web3 firms, making it look like the firm was sending out the links. Instead, the emails contained links connected to wallet drainer sites. Blockaid explained, 

“The attackers took advantage of the fact that Mailer Lite had previously been given permission to send email on behalf of these site’s domains, enabling them to craft emails that seemed to be coming from these organizations. Specifically, they used ‘dangling DNS’ records, which were created and associated with Mailer Lite (previously used by these companies). After closing their accounts, these DNS records remain active, giving attackers the opportunity to claim and impersonate these accounts.”

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.