MyEtherWallet (MEW), the most popular Ethereum web-based wallet fell victim to a DNS hack on April 24, 2018. Comments made by wallet users on social media and online crypto forums reveal that funds have indeed been stolen from their wallets.
MyCrypto, a rival service to MEW, confirmed the occurrence of the hack and informed MEW users that their accounts had been compromised. This is yet another DNS-based attack in the crypto community which shows the vulnerability inherent in a single point of failure. Etherdelta, for instance, was the victim of a similar hack in December 2017.
Reports of Missing Funds from Wallet Users
It began when MEW users started reporting suspicious activities on the MEW web interface. The news was broken by a MEW-user on Reddit r/rotistain, saying that they had fallen victim to a phishing scam. Apparently, the user had logged on the MEW service and seen that the connection was not secure which was an anomaly.
The user proceeded to check if the site was a phishing site but all checks proved negative and despite their better judgment, proceeded to log in. The user ended up losing 0.09 ETH which was all the money that was in the user’s wallet.
Not too long after the story broke, MEW published a confirmation tweet. Earlier in the year, MEW had debunked rumors that it had been hacked.
This time around, it appears the wallet provider had indeed been breached. Speaking to BTCManager via email, Kosala Hemachandra, Founder and CEO of MEW said, “It is our understanding that a couple of Domain Name System registration servers were hijacked at 12PM UTC, April 24, 2018, to redirect http://myetherwallet.com users to a phishing site. This redirecting of DNS servers is a decade-old hacking technique that aims to undermine the Internet’s routing system. It can happen to any organization, including large banks. This is not due to a lack of security on the @myetherwallet platform. It is due to hackers finding vulnerabilities in public-facing DNS servers.”
“A majority of those affected were using Google DNS servers. Affected users are likely to have clicked the “ignore” button on an SLL warning that pops up when visiting a malicious site imitating MEW. We recommend all our users to switch to Cloudflare DNS servers in the meantime. We are currently in the process of verifying which servers were targeted to help resolve this issue as soon possible.”
Couple of DNS servers were hijacked to resolve https://t.co/xwxRJ4H4i8 users to be redirected to a phishing site. This is not on @myetherwallet side, we are in the process of verifying which servers to get it resolved asap.
— MyEtherWallet | MEW (@myetherwallet) April 24, 2018
An address linked to the hack has been discovered, and it is currently tagged on Etherscan (Fake_Phishing899) as being involved in the MEW DNS hack. The address has so far conducted 180 transactions and has stolen 215 ETH currently valued at . According to a post on Reddit, there are indications that the hack may have originated from Russia.
DNS Down and Confirmation from Rival Service
MEW isn’t the only crypto service experiencing DNS troubles. In the early hours of April 21, Binance tweeted that Google’s DNS service was down and that this was the reason for the service disruptions experienced by some of the exchange’s users. There are no indications yet whether the two incidents are related. However, a tweet by CobraBitcoin (co-owner of BitcoinTalk) revealed that the Google DNS issues could have a link to the MEW hack.
Sounds like something very evil has happened with Google DNS today. Their DNS servers appear to have been compromised and used to phish users at services like @myetherwallet. Don't trust any website if you're using Google DNS. Even SSL certificates can be generated at DNS level.
— CØ₿RA (@CobraBitcoin) April 24, 2018
MyCrypto also posted tweets confirming the MEW DNS hack. Being direct competitors of MEW, MyCrypto spared few details in what may seem like a bit of “schadenfreude” over the current travails of its rival. It should also be noted that MyCrypto emerged as a result of a less than harmonious split between the founders of the MEW earlier in the year.
— MyCrypto.eth 🦊💙 (@MyCrypto) April 24, 2018
According to MyCrypto, the account of any MEW user who entered their private key during the hack has been compromised. As a result, the service is doing all it can to mobilize resources to investigate the cause of the attack and try to help the MEW team in any way that it can. The MyCrypto team also advised wallet users to store their funds in offline wallets to keep them safe from hackers.
We advise all our readers to prefer using offline wallet whenever possible and to make sure that SSL certificate is green when using any important website. Investing in a hardware wallet like Ledger or Trezor is beneficial since all online exchanges and wallets can be hacked.