MyEtherWallet Hijacked on Google Public DNS

On 24 April 2018, MyEtherWallet (MEW) was hijacked by hacking Google Public DNS servers. Checking on EtherScan we saw 215 ETH stolen from addresses and sent to the Address 0x1d50588c0aa11959a5c28831ce3dc5f1d3120d29 and this morning the attacker sent 215 ETH to 0x68ca85dbf8eba69fb70ecdb78e0895f7cd94da83.

All begins with a Reddit message on MEW board sayng he lost 0.9 ETH when their connection was intercepted as he logged in:

Woke up today, Put my computer on, went on to myetherwallet and saw that myetherwallet had a invalid connection certificate in the corner. I thought this was odd. https://i.imgur.com/2x9d7bR.png . So I double checked the url address, triple checked it, went on google, got the url . Used EAL to confirm it wasn’t a phishing site. And even though every part of my body told me not to try and log in, I did. As soon as I logged in, there was a countdown for about 10 seconds and A tx was made sending the available money I had on the wallet to another wallet, “0x1d50588C0aa11959A5c28831ce3DC5F1D3120d29.”

MyEtherWallet twitted a message explaining that a couple of DNS were hijacked and request/response from the browser were redirected to a phishing site:

Couple of DNS servers were hijacked to resolve https://t.co/xwxRJ4H4i8 users to be redirected to a phishing site. This is not on @myetherwallet side, we are in the process of verifying which servers to get it resolved asap.

— MyEtherWallet.com (@myetherwallet) April 24, 2018

Were are the stolen ETH

According to the multitude of Reddit posts, the phishing IP address and name server are Russian. The first ETH address that received coins was labelled as Fake_Phishing899 in response to the phishing attack. Now, all hacked funds have been moved from this address, split up in several fresh ETH wallet.

MyEtherWallet Hijacked on Google Public DNS

Were are the stolen ETH

Login or register

Access Denied

Propose a Faucet