In one of the most alarming cybersecurity incidents to hit the cryptocurrency space, users of MyEtherWallet (MEW) — one of the most popular Ethereum wallet services — fell victim to a sophisticated combined BGP and DNS hijacking attack on April 24, 2018. The attack resulted in approximately $150,000 worth of Ethereum being stolen from unsuspecting users who were redirected to a malicious phishing site hosted on a server in Russia.
TL;DR
- MyEtherWallet users lost roughly $150,000 in Ethereum after a coordinated BGP and DNS hijacking attack
- Attackers exploited internet infrastructure, compromising an upstream ISP to redirect traffic through Amazon Route 53 DNS
- The phishing site was hosted on a Russian server and used a self-signed SSL certificate as the only warning sign
- Amazon Web Services confirmed its own systems were not compromised; the attack originated from Ohio-based ISP eNet
- Security researchers called it the largest-scale attack combining both BGP and DNS vulnerabilities
How the Attack Unfolded
The incident began around midnight Eastern Time on April 24, when MEW users started noticing something unusual. Upon connecting to the service, they were presented with an unsigned SSL certificate — a broken link in the site verification chain that many web users routinely click through without much thought.
Anyone who accepted the certificate warning was silently redirected to a malicious server in Russia. This fake version of MyEtherWallet was designed to look identical to the legitimate service, but once users entered their private keys, the attackers immediately drained their wallets.
Blockchain records from the attacker wallet (0xb3aaaae47070264f3595c5032ee94b620a583a39) showed that the thieves made off with at least $13,000 during the roughly two-hour window before the attack was shut down. However, the total damage was estimated at around $150,000. Notably, the attacker wallet already contained more than $17 million in Ethereum before the attack, suggesting this was far from their first operation.
Breaking Down Internet Infrastructure
What made this attack particularly concerning was the method of execution. The attackers did not compromise MyEtherWallet itself. Instead, they exploited fundamental weaknesses in how internet traffic is routed — specifically targeting the Border Gateway Protocol (BGP) and the Domain Name System (DNS).
MyEtherWallet uses Amazon Route 53 for its DNS service. The attackers managed to compromise an upstream internet service provider — identified as Ohio-based eNet — and used that access to announce a subset of Route 53 IP addresses to other peered networks. These networks, unaware of the hijack, accepted the false routing announcements and directed a portion of MEW traffic to the phishing server.
Security researcher Kevin Beaumont described the attack as the largest scale combination of BGP and DNS exploits he had witnessed, underscoring the fragility of internet security at its most fundamental level.
Amazon and Equinix Respond
Amazon Web Services moved quickly to clarify that its own infrastructure had not been breached. In an official statement, AWS emphasized that neither AWS nor Amazon Route 53 were hacked or compromised. The attack vector was an upstream ISP that was itself compromised, allowing the malicious actor to propagate false routing information across the internet.
Equinix, the data center provider whose Chicago facility was implicated in the attack, also issued a statement clarifying that the server used was customer equipment deployed at one of their IBX data centers — not Equinix-owned infrastructure. The company noted that they generally do not have visibility or control over what their customers do with their equipment.
MyEtherWallet Community Response
MyEtherWallet confirmed the attack in an official statement on Reddit, advising users to run a local offline copy of the wallet as a precaution. MEW was careful to point out that the breach was not due to any vulnerability in their platform, but rather a result of hackers exploiting public-facing DNS servers — a technique that has been used for decades to target organizations of all sizes, including major banks.
For users who lost funds in the attack, there was unfortunately no recourse. Transactions on the Ethereum blockchain are irreversible, and the stolen funds had already been consolidated into the attacker wallet. The incident served as a stark reminder of the importance of verifying SSL certificates and using hardware wallets or offline solutions for storing significant cryptocurrency holdings.
Why This Matters
This attack was a watershed moment in cryptocurrency security, demonstrating that even the most fundamental internet infrastructure — the protocols that route traffic and resolve domain names — can be weaponized against crypto users. With Ethereum trading at approximately $708 on this date and Bitcoin near $9,697, the cryptocurrency market was in the midst of a significant recovery, making wallet security more critical than ever. The MEW incident underscored the urgent need for DNSSEC and HSTS implementation across the crypto ecosystem, and it served as a wake-up call for both service providers and individual users about the sophistication of attacks targeting digital assets.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always verify website certificates and consider using hardware wallets for cryptocurrency storage.