Hacker Hijacks DNS Server of MyEtherWallet to Steal $160,000

A hacker (or group of hackers) has hijacked the DNS servers of MyEtherWallet.com, a web-based Ether wallet service.

Users accessing the site were redirected to a fake version of the website. Those who logged in had their wallet private keys stolen, which the attacker used to empty accounts.

MyEtherWallet admins detected the DNS hijacking event and attempted to warn users via Twitter.

Couple of DNS servers were hijacked to resolve https://t.co/xwxRJ4H4i8 users to be redirected to a phishing site. This is not on @myetherwallet side, we are in the process of verifying which servers to get it resolved asap.

— MyEtherWallet.com (@myetherwallet) April 24, 2018

The fake website was easy to spot because attackers used a self-signed TLS certificate that triggered an error with all modern browsers.

@myetherwallet #myetherwallet #mew started giving out “certificate invalid” several minutes ago? And attempting to use a self-signed cert.

— Alex Myodov (@amyodov) April 24, 2018

MyEtherWallet has hacked, DO NOT LOGIN TO MEW RIGHT NOW. Hacker wallet https://t.co/AipwC6COh8 #ethereum #MyEtherWallet pic.twitter.com/9ZKOh3U3ti

— Crypto Beethoven (@CryptoBeethoven) April 24, 2018

However, not all users paid attention to the HTTPS error and proceeded to log into their accounts. According to users who reported losing funds, the hacker collected Ether at 0x1d50588C0aa11959A5c28831ce3DC5F1D3120d29.

myetherwallet got hijacked! fu*k lost all my funds! #MyEtherWallet

— SirotkaSlo (@sirotkaslo) April 24, 2018

After approximately two hours and after MyEtherWallet started regaining access over its DNS entries, the hacker transferred the stolen funds to another account. All in all, the attacker made off with 215 Ether, the equivalent of $160,000, at the time of the transaction.

According to Oracle's Internet Intelligence division (formerly known as Dyn Research), the hacker was able to hijack DNS entries after executing a BGP route hijack that redirected entire swaths of Internet traffic meant for Amazon servers to systems they controlled.

BGP hijack this morning affected Amazon DNS. eNet (AS10297) of Columbus, OH announced the following more-specifics of Amazon routes from 11:05 to 13:03 UTC today:
205.251.192.0/24
205.251.193.0/24
205.251.195.0/24
205.251.197.0/24
205.251.199.0/24

— InternetIntelligence (@InternetIntel) April 24, 2018

Attackers didn't hijack just any Amazon routes, but the IPs for Amazon's Route 53 cloud infrastructure, the one known to host many major websites [1, 2]. ThousandEyes has also released a video today explaining the BGP hijack in more depth.

Some of the hijacked traffic was for Amazon DNS servers, used by the MyEtherWallet team. Attackers then pointed domain name resolutions for the MyEtherWallet.com domain to an IP address located in Russia, where they hosted their fake version of the MyEtherWallet website that logged private keys.

The MyEtherWallet incident is not the first DNS hijacking attack against a cryptocurrency-related domain. In January 2018, hackers hijacked the servers of BlackWallet.com and managed to steal over $400,000 of Stellar Lumen (XLM) funds.

EtherDelta suffered a similar DNS hijacking incident before Christmas 2017, but to this day we still don't know how many funds the attacker stole. Classic Ether Wallet and the Etherparty ICO website also suffered DNS hijackings.

Article updated post-publication to add link to Kevin Beaumont's Medium post and ThousandEyes' report.