Hackers Stole Over $15,000 With a MyEtherWallet Phishing Scam

Hackers Stole Over $15,000 With a MyEtherWallet Phishing Scam

By Oliver Carding - min read
Updated 22 May 2020

Last week, criminals launched a phishing scam against MyEtherWallet owners, reportedly earning over $15,000 over the course of a few hours.

On the 24th, security researcher, Wesley Neelen revealed that he was one of the recipients of the phishing email, claiming that the wallet provider was implementing a hard fork update, urging the victims to unlock their accounts using their Keystore Files or private keys, synchronize their wallets and verify their ETH and token balances. By doing all that, one could have exposed their private keys along with providing information on the hackers about his or her wallet balance.

The hackers went to great lengths to make the phishing site look almost identical to the legitimate MyEtherwallet.com site, even going to the lengths of registering an almost identical domain. Only upon closer inspection was it clear that the site used a Unicode trick and that there was a comma under the t.

When someone followed the link and entered their details, the phishers would then have access to a victim’s wallet, allowing for the transfer of funds. Despite how convincing the site looked, Neelan didn’t fall for the scam, however, upon receiving the email, which he claimed he only used for the Kin Foundation (and ICO website) pre-registration mailing list, he started investigating the site. Neelan searched the phishing site to find accessible logs and the source code. With one of his colleagues, Rik van Duijn, the security experts discovered log files with a list of all the compromised wallets the hackers successfully phished from the victims. The biggest catch of the hackers was a wallet with approximately 42.5 ETH in it, worth in excess of $13,000 at the time of publishing.

Neelan believes that the total amount stolen by the hackers is 52.56 Ether, worth over $16,000. Over the course of a few hours, the criminals transferred the stolen funds from the compromised wallets to three different addresses.

Neelan has contacted the domain registrar of the Unicode domain the hackers used to register the phishing site. However, according to Neelan, the domain hosting service is “bulletproof”, and he is not sure whether the registrar will take the phishing website offline. Neelan also contacted law enforcement authorities to initialize a notice and the takedown of the website.