Google Public DNS Hijacked, MEW Users Lose Funds

On April 24, 2018 the popular Ethereum wallet MyEtherWallet suffered a phishing attack on its Google Public DNS.  Some 515 ETH ($360,500) has been stolen as a result of the hack.

One Reddit user on r/myetherwallet, u/rotistain, alerted other community members of the hack this morning.  Upon waking up, rotistain accessed myetherallet.com only to notice that the link had an invalid connection certificate, labeling the site as not secure.  Proceeding anyway, rotistain used a private key to log in and was greeted with “a countdown for about 10 seconds and A tx [that sent] the available money [he] had on the wallet to another wallet.” 

Soon after this post, a handful of posts on r/cryptocurrency, r/ethereum, and r/ethtrader surfaced to warn other users of the security breach. Before the initial post on r/myetherwallet, Dent’s Twitter account tweeted a warning that Google’s DNS was returning the wrong IP for the website, as well as displaying the same invalid SSL that rotistain mentioned.

Hmm, Google's DNS server 8.8.8.8 is returning wrong IP for www. myetherwallet .com and the SSL certificate returned is invalid , BE CAREFUL OUT THERE! @myetherwallet can you please check whats happening! #dentcoin #btc #eth #blockchain #ethereum #bitcoin #gsma pic.twitter.com/JCXOj4CzAr

— DENT (@dentcoin) April 24, 2018

According to the multitude of Reddit posts, the faulty IP address and name server are Russian in origin. Users also tracked the filched funds back to two wallet addresses, one of which the MyEtherWallet team has labelled as Fake_Phishing899 in response to the attack.  At press time, funds have been moved from these addresses, split up, and scattered through a variety of fresh wallets to obscure their allocation.

While they have yet to corroborate the origin of the hack, the MyEtherWallet team did confirm on Twitter that a “[couple] of DNS servers were hijacked.”  The team claims that the security breach was not a result of vulnerabilities on myetherwallet.com and that they are working on resolving the issue immediately.

Couple of DNS servers were hijacked to resolve https://t.co/xwxRJ4H4i8 users to be redirected to a phishing site. This is not on @myetherwallet side, we are in the process of verifying which servers to get it resolved asap.

— MyEtherWallet.com (@myetherwallet) April 24, 2018

As with past phishing attacks that have targeted Ethereum-powered wallets or exchanges, the hacker(s) could only compromise accounts whose users entered their private keys on the fake website. As such, if you attempted to access MyEtherWallet at the time of the attack with a hardware wallet or MetaMask, your funds would be safe. Additionally, as the phishing attack hijacked the wallet service’s Google Public DNS, some users who accessed myetherwallet.com from another one of its domain name server hosts wouldn’t have run into issues.