MyEtherWallet Hit by Devastating DNS Attack, Users Lose Millions in Cryptocurrency

April 24, 2018 marked a dark day for the cryptocurrency community as one of the most popular wallet services, MyEtherWallet (MEW), fell victim to a sophisticated DNS attack that resulted in significant financial losses for users worldwide.

TL;DR

• MyEtherWallet suffered a DNS server hijacking on April 24, 2018 at 12PM UTC
• Attackers redirected users to phishing sites, draining cryptocurrency from multiple wallets
• Over $365,000 worth of Ether was stolen across multiple wallet addresses
• Users were warned to switch from Google DNS to Cloudflare’s DNS for enhanced security
• The incident highlighted critical security vulnerabilities in cryptocurrency wallet infrastructure

The Attack Unfolds

In a carefully orchestrated attack, MyEtherWallet announced that “a couple of Domain Name System registration servers were hijacked around 12PM UTC 24 April to redirect users to a phishing site.” The attack targeted the infrastructure rather than the MEW platform directly, exploiting a fundamental weakness in how users access cryptocurrency services.

The DNS redirection meant that when users attempted to visit the legitimate MyEtherWallet website, they were instead sent to malicious impersonating sites. Once on these phishing pages, users who entered their private key information without proper verification found their accounts compromised and funds drained by attackers.

Scale of the Damage

The financial impact was substantial. According to reports from blockchain analysis and fraud trackers, the attackers managed to steal over 520 Ether across multiple wallet addresses. At the current market price of approximately $700 per ETH, this represents a loss of around $365,000 in just the initial wave of attacks.

Further investigation revealed that the stolen funds were consolidated into a holding wallet with a balance exceeding $17 million in Ether. While this doesn’t necessarily represent the total stolen amount – as the attackers could be using additional untracked wallets – it indicates the sophisticated nature of the attack and the potential for further losses.

Google DNS Users Particularly Vulnerable

What made this attack particularly concerning was its specific targeting of users relying on Google’s DNS service. MEW confirmed that “a majority” of affected users were using Google’s DNS at the time of the hijacking. This specificity suggests attackers had prior knowledge or conducted reconnaissance on common DNS configurations among cryptocurrency users.

The company moved quickly to address the situation, securing their website infrastructure and advising affected users to switch to Cloudflare’s DNS service, which offers enhanced security features and monitoring capabilities.

Security Lessons and Industry Response

The MEW attack serves as a critical reminder of the importance of proper security practices in the cryptocurrency space. Experts emphasized that users should never manually enter private keys and that secure hardware wallets are strongly recommended for storing significant cryptocurrency holdings.

MEW issued strong recommendations to its user base, urging them to “PLEASE ENSURE there is a green bar SSL certificate that says “MyEtherWallet Inc” before making any transactions.” The company specifically advised users to “run a local (offline) copy of the MEW” and “use hardware wallets to store their cryptocurrencies.”

Industry Impact and Alternative Solutions

The attack sent ripples throughout the cryptocurrency community, with many users expressing concern about the safety of online wallet services. In the aftermath, some users turned to alternative services like MyCrypto, a fork started by a former MEW co-founder that offers similar functionality with a focus on enhanced security practices.

Both MEW and MyCrypto operate as non-custodial wallet solutions, meaning they don’t hold users’ crypto or personal information. Instead, they enable users to check their account balances and facilitate transactions directly to the blockchain, which theoretically limits the potential damage from such attacks.

Why This Matters

The DNS attack on MyEtherWallet represents a significant security incident in the cryptocurrency ecosystem that occurred when Bitcoin was trading at approximately $9,700 and Ethereum at $708. The incident demonstrates several critical points about the evolving nature of cyber threats targeting cryptocurrency infrastructure:

1. Infrastructure attacks are increasingly sophisticated: Rather than targeting individual users or exchanges, attackers are now compromising fundamental internet infrastructure like DNS servers to compromise entire user bases at once.
2. Education is paramount: This attack highlights the ongoing need for user education about basic security practices, such as verifying SSL certificates and understanding the risks of manual private key entry.
3. Hardware security is essential: For significant cryptocurrency holdings, hardware wallets provide an additional layer of protection that is increasingly necessary given the growing sophistication of attacks.
4. Industry collaboration: The response to such attacks requires coordinated efforts between wallet providers, DNS service providers, and the broader cryptocurrency community to implement enhanced security measures.

As the cryptocurrency industry continues to mature, incidents like the MEW DNS attack serve as important learning opportunities that drive improvements in security protocols, user education, and infrastructure resilience. The $365 million market cap at the time of the attack shows that even relatively small incidents can have significant impacts on user confidence and the overall development of the ecosystem.