The user clicks the “ buttonStart Staking” in the phishing email will be redirected to a malicious web application that advertises itself as “Staking Launchpad“. If a user approves a transaction from this app, their wallet will be drained of funds.
Upon detecting the malicious emails, the Ethereum Foundation blocked the attacker from sending further emails and closed the malicious access link, ensuring the attacker no longer had access to the mailing list.
The organization sent alerts to blacklists, Web3 wallet providers, and Cloudfare to warn users about the malicious site. The investigation found that the attacker uploaded a database containing new email addresses that were not on the Ethereum Foundation’s subscriber list.
The attacker also extracted email addresses from the blog’s mailing list, a total of 3,759 addresses. Of these, 81 were new email addresses previously unknown to the attacker, and the rest were duplicate addresses.