Over 3.5M Drained from Phishing Scam (Cointelegraph, Wallet Connect, De.Fi and others)

This is a unique phishing scam making the rounds today where the mail server of websites like Cointelegraph and Wallet Connect appear to be hijacked.

What does this mean?

Basically the phishing emails going out appear to look official with the from address matching the branded from email.

Above is an email that appears to come from WalletConnect.

  • Phishing Wallet – 0xe7D13137923142A0424771E1778865b88752B3c7
  • Phishing Intermediary Wallet – 0xef3d9A1a4Bf6E042F5aaebe620B5cF327ea05d4D
  • Fixed Float Deposit Adress – 0x4c5D20eFf31A2794C6eef502469DE8f4A1eD55eC
  • Railgun Contract – 0x4025ee6512DBbda97049Bcf5AA5D38C54aF6bE8a

One victim wallet appears to have lost 2.64M worth of XB Tokens. I'm showing about 2.7M sitting in the phishing wallet of 0xe7D13137923142A0424771E1778865b88752B3c7, while 518.75K went to 0xef3d9A1a4Bf6E042F5aaebe620B5cF327ea05d4D.

Above is the outgoing txns of Phishing Wallet 0xe7D13137923142A0424771E1778865b88752B3c7 sorted by highest outgoing amount.

Above is a different look inside of Phishing Wallet 0xe7D13137923142A0424771E1778865b88752B3c7. You can see the outgoing transfer of 518.70K from 0xef3d9A1a4Bf6E042F5aaebe620B5cF327ea05d4D to Railgun.

How did this Phishing Scam Happen

Malware was discovered on the computer belonging to an employee of MailerLite, the email service provider used by websites sending the phishing emails.

Cybersecurity service Hudson Rock believes the malware may have allowed the attacker to gain access to MailerLite's servers.

The above was posted by Hudson Rock. It appears to show the data from the infected MailerLite employee's computer.

In other words, by gaining access to MailerLite's backend email servers, the attackers were able to impersonate the web3 companies without spoofing the emails.

This appears to be an extremely sophisticated phishing attack exploiting web3 companies relationships with their email subscribers.

Where's the Money Going?

Most of the funds are still sitting in 0xe7D13137923142A0424771E1778865b88752B3c7. However, the scammers have shown some of their hand by sending about 30K to a burner FixedFloat deposit address and over 500K through Railgun.

I looked through the Railgun contract address and was able to cross reference timestamps to get an idea where the funds went.

Railgun is designed for privacy and scammers use the service to launder stolen crypto. However, the amounts and timestamps appear to be very closely aligned to each other when looking at the txn history.

I looked at the timestamps of the Railgun contract 0x4025ee6512DBbda97049Bcf5AA5D38C54aF6bE8a. You can see the funds go into Railgun with Phishing Intermediary Wallet – 0xef3d9A1a4Bf6E042F5aaebe620B5cF327ea05d4D at 12:38:59. Just over an hour later at 13:45:47, it appears to come out in 0x6D9Ee5600E7E773Fae2b5cB0c8c0bEc9F644188c.

It's my belief most of the funds that went through Railgun are in this wallet – 0x6D9Ee5600E7E773Fae2b5cB0c8c0bEc9F644188c, currently at just over 520K in ETH.

It's only a matter of time before these get moved through another mixer or exchange.

reddit imagereddit imagereddit imagereddit imagereddit image

5 thoughts on “Over 3.5M Drained from Phishing Scam (Cointelegraph, Wallet Connect, De.Fi and others)”

  1. Hello jbtravel84. It looks like you might have found a new scam? If so, please report this scam by crossposting to r/CryptoScams, r/CryptoScamReport, or visiting scam-alert.io. For tips on how to avoid scams, click here.

    I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

  2. This is the main reason why I never trust anything financial that appears on my email. I see to it to call my bank just to check an ongoing offer first before I proceed anytime just to be safe.

  3. If your crypto can be “hacked” through any form of email phishing attack then you are not doing crypto right.

  4. I had an Opensea email that looked official enough saying they were offering 5.2 ETH for one of my NFTs. Since they were self created tests I can say 100% fake/scam.

Comments are closed.