$150,000 USD in Ethereum Stolen in MyEtherWallet Hack

By James Gray·25 April 2018·2 min read

Key Points

On April 24th, 2018, a DNS hijacking attack redirected MyEtherWallet.com traffic for roughly 120 minutes, resulting in the theft of approximately 215 ether from unsuspecting users.

On April 24th, 2018, a DNS hijacking attack redirected MyEtherWallet.com traffic for roughly 120 minutes, resulting in the theft of approximately 215 ether from unsuspecting users. The breach unfolded when attackers manipulated Domain Name System infrastructure to intercept traffic intended for the legitimate wallet platform, routing visitors instead to a fraudulent version of the site. MyEtherWallet quickly notified the community via social channels once the intrusion was detected, though the window of exposure had already enabled significant losses.

728×90

This particular assault leveraged time-tested DNS redirection methods rather than exploiting flaws within MyEtherWallet itself. Attackers compromised publicly accessible DNS servers operated by Google and Amazon, rerouting requests away from the genuine platform. The platform's operators emphasized that such attacks represent a broader internet vulnerability affecting corporations of all sizes, from major financial institutions to tech giants, and reflected no specific weakness in their own security posture.

A Border Gateway Protocol hijack connected to the incident compromised Amazon's DNS infrastructure. eNet, an autonomous system operator based in Columbus, Ohio, announced unauthorized route announcements between 11:05 and 13:03 UTC on April 24th, specifically: 205.251.192.0/24, 205.251.193.0/24, 205.251.195.0/24, 205.251.197.0/24, and 205.251.199.0/24.

When traffic was redirected to the malicious site, users encountered SSL certificate warnings—authentication screens alerting them to a domain mismatch. Proceeding required users to explicitly bypass this protection. The fraudulent interface allegedly originated from infrastructure within Russia. MyEtherWallet's guidance proved direct: "PLEASE ENSURE there is a green bar SSL certificate that says 'MyEtherWallet Inc' before using MEW." The organization urged inhabitants to operate offline wallet copies temporarily and switch to Cloudflare DNS providers during remediation efforts. The team also cautioned against fake reimbursement offers circulating on social platforms.

Forensic analysis revealed 179 transactions totaling 216.06 ether funneled to wallet address 0x1d50588C0aa11959A5c28831ce3DC5F1D3120d29, with stolen credentials potentially enabling further unauthorized access. This incident paralleled earlier campaigns targeting Apple, Facebook, Google, and Microsoft in late 2017, and Stellar's January 2018 breach that claimed $400,000 in lumens. Hardware-based custody solutions remain the most robust defense against such infrastructure-level attacks, as digital asset holders navigate an increasingly sophisticated threat landscape.

MiningPool content is intended for information and educational purposes only and does not constitute financial, investment, or legal advice.

728×90