Russian cybercriminals are targeting users of the cryptocurrency Ethereum with a deluge of phishing attacks, and have so far made almost $700,000 in just six days.
Many Ethereum users are part of online communities where they can discuss issues about cryptocurrencies. Instead of using forums, many mining pools, wallet services and information sites now host chatrooms using the customisable cloud-based chat messaging software Slack.
Slack has multiple channels, so developers of the wallets and mining pools can chat in private channels, while also supporting public channels where any user can ask questions, get support and chat generally about any topic.
Cybercriminals are capitalising on these Slack communities by infiltrating them and impersonating the software's official chatbot Slackbot to send fake custom messages from administrators to all members of a Slack team.
Tens of thousands at risk
Over 100 Slack communities are currently known to have been hit by the malicious phishing messages and tens of thousands of users in both the ETH and ETC forks are at risk.
The malicious messages claim that the MyEtherWallet service has been hacked, and users are advised to log into their wallet and check their balance to see if they have lost any money.
If the user clicks the hyperlink in the Slack message, they are taken to a malicious website impersonating the wallet service, and if they try to login, their details will be harvested by the cybercriminals, who then log into the victims' actual accounts and steal their funds.
So far, $682,000 has been stolen since 7 July due to malicious phishing messages sent over Slack, as well as from malicious private messages sent to users on Reddit.
Some fake messages are even being sent claiming to be from Ethereum co-founder Vitalik Buterin on both Slack and Reddit.
Phishing scams targeted at Ethereum users first popped up in 2016, but the recent sharp increase in attacks could be linked to the currency's spike in price.
The price of Ethereum used to be very low after it launched in June 2015, but it shot up by over 2,300% in January from $8.24 to $203.30, before the price peaked at $400 at the end of June. As of 11 July, the price of Ethereum is now $209.39.
MyEtherWallet has not been hacked
There has never been any danger of MyEtherWallet being compromised, and the service's core developers want users to start being more aware of scammers.
"MyEtherWallet has not been hacked. Nothing is actually at risk because the service does not store any user information and has not been compromised in any way," the core developers told IBTimes UK.
"But it's easy to not think clearly when you're told your money is at risk, so many users believed it and went to this fake site and gave up their information."
MyEtherWallet is a popular free open source wallet system that is run by a small group of core developers. It doesn't make money, bar a few small affiliate relationships, and is designed purely to make it easier for users to interact with the Ethereum blockchain to make transactions and store their cryptocurrency.
MyEtherWallet.com is the official site, and fake MyEtherWallet phishing sites are using other domains hosted in Russia to pull off the scams.
Stopping the scammers
To stop the scammers, MyEtherWallet's developers are having to find a Russian lawyer to issue a copyright infringement court order against Reg.Ru, the domain registrar for the scammers' websites.
About 200 people in the Ethereum community are also now mass-spamming the cybercriminals' servers in Russia with a constant deluge of fake private keys.
This makes it harder for the cybercriminals to figure out which login details they have harvested are real, and which are fake, so Ethereum users who realise they have fallen for the trick now have a chance to quickly move their funds to a new wallet account.
The core developers and others in the community are also closely monitoring over 40 Slack channels to try to prevent any future losses; trying to warn other Ethereum communities on Slack; and building a new app for Slack that can detect malicious links when they are posted.
"It's basically like the Nigerian Prince email scam, except that it's coming over Reddit and Slack, and people somehow don't know how to be sceptical. Perhaps because email's spam filter is so good that the younger crowd typically in crypto don't know how to be wary of links and scams," MyEtherWallet said.
"Phishing victims are typically reserved for the older generation, but today you have a crowd of people who likely grew up on the internet and are interested in cryptocurrencies, and they seem incapable of not clicking links in these phishing messages."