MailerLite Attack: Crypto Phishing Emails Looked Legit but Stole $580K from Victims

A phishing attack targeting crypto email provider MailerLite allowed hackers to impersonate major web3 companies and steal over $600,000 by sending wallet-draining links to unsuspecting subscribers. The scheme began when MailerLite employees fell victim to a phishing attack themselves.

TLDR

• Hackers gained access to MailerLite’s system through a phishing attack targeting an employee
• They were able to access crypto-related accounts and impersonate legitimate companies
• Phishing emails were sent from compromised accounts with links to wallet-draining malware
• Major web3 companies like CoinTelegraph, WalletConnect, and De.Fi were impacted
• Over $600,000 in crypto funds were stolen through the phishing attack

On January 23rd, a MailerLite customer support representative responded to what appeared to be a legitimate customer inquiry. However, the attached image actually contained a fake Google sign-in page used to harvest the employee’s credentials. With access to the internal admin panel, the attackers escalated their permissions by resetting a user’s password.

The hackers zeroed in on cryptocurrency-related accounts connected to the mailing service, accessing a total of 117 accounts. While not every account was exploited, some of the biggest names in web3 found themselves unwittingly turned into phishing launchpads. Major crypto publication CoinTelegraph as well as prominent apps WalletConnect, Token Terminal and De.Fi had their accounts compromised.

With control of the accounts, the attackers were able to craft emails appearing to come from the legitimate companies. The emails urged subscribers to click on links which actually led to wallet-draining software designed to steal crypto funds.

By wrapping their phishing attempts in familiar formatting from a trusted source, the ploy managed to ensnare many victims. Cybersecurity sleuths tracked the totals stolen to over $600,000 taken from users’ crypto wallets. A chunk of the funds were quickly run through privacy protocol Railgun to try and erase the money trail. Still, blockchain analysis revealed over $580,000 can be attributed to the MailerLite phishing scam.

The multi-stage attack took advantage of a tactic known as “dangling DNS.” Even after customers close their MailerLite accounts, DNS records linking domains to MailerLite’s servers remain active. This vulnerability allowed the hackers to impersonate domains which had long stopped using the mailing provider.

MailerLite says they successfully halted the breach after detecting the suspicious activity. But the company admits over 100 customer accounts were accessed in the incident, with personal information like names, emails and uploaded data exposed.

MailerLite stated they are addressing security flaws and improving employee training to prevent similar attacks going forward.