Reports of phishing attempts linked to ads on the top Ethereum blockchain explorer began surfacing on Sunday. It was unclear, however, whether any user funds were lost.
Posted April 8, 2024 at 5:21 pm EST.
Bundled among recent ads on Etherscan promoting upcoming NFT launches, 350% boosts on crypto gambling deposits, and the memecoin “Dogecoin 20” appeared to be something far more nefarious.
Word of phishing attempts stemming from links in Etherscan ads started circulating on Sunday. It was unclear as of publication whether any user funds were lost. A Monday review of live ads on the popular Ethereum blockchain explorer by Unchained did not appear to be linked to phishing attempts.
But crypto security experts told Unchained on Monday that the endeavor marks the latest indicator of scam artists going after high-profile, trusted targets.
The attacks in question, known as wallet draining, work by tricking users into linking their wallets to fake websites that look legitimate — then emptying their contents. Crypto hacks were down 23.1% in the first quarter compared to the same period in 2023, according to an Immunefi report. But isolated instances have persisted.
Read more: Tether Assists US DOJ and FBI With $1.4 Million USDT Asset Seizure
Dan Chong, the chief executive officer and co-founder of onchain security specialist Harpie, said that “as more money gets into crypto and the industry starts getting bigger, these attacks are going to become more common, especially on trusted institutions.”
“It’s interesting that it did happen on Etherscan, which is one of the most trusted authorities in crypto — or it’s supposed to be,” Chong said. “It says a lot as to the reach of scams and the people trying to design them. It’s not necessarily Etherscan’s fault that this happened, because they are using third-party ad aggregators.”
Ad aggregators typically snap up and package together scores of programmatic ads for companies and websites that host them, sparing the host the time and expense of sourcing their own ads. Etherscan gets 80 million page views a month, according to its website.
Who Does the Due Diligence Burden Fall On?
Etherscan’s terms of service and privacy policy both mitigate liability for third-party content hosted on the site, including by saying that the block explorer is not “responsible or liable for any loss or damage of any sort incurred” from third-party interactions. Etherscan also commonly links in ads to trusted crypto services, like the decentralized wallet MetaMask.
Representatives for Etherescan did not return a request for comment for this story.
Exploits stemming from Etherscan and, in general, crypto institutions that maintain consumer trust are tricky to guard against, according to Dave Schwed, the chief operating officer of crypto security firm Halborn.
Etherscan users likely have “in their minds a level of trust with ads that are being displayed,” Schwed said, adding that it’s not much of a surprise when “you’re targeting a community where time is of the essence on acting with certain things, and their guards are generally down.”
The news ought to serve as one reminder of the importance of risk management, including when it comes to vendors that crypto companies do business with, according to Schwed. One solution: engage in random checks of ads coming through vendors.
But a big part of the onus on engaging with ads, he said, comes down to user scrutiny.
“We can’t … just point our fingers at everybody else to do the due diligence that we should be doing in 2024,” he said.