📈 Get daily crypto insights that make you smarter about your money

MyEtherWallet Users Lose $150,000 in Sophisticated BGP and DNS Hijacking Attack

In one of the most alarming cybersecurity incidents to hit the cryptocurrency space, users of MyEtherWallet (MEW) — one of the most popular Ethereum wallet services — fell victim to a sophisticated combined BGP and DNS hijacking attack on April 24, 2018. The attack resulted in approximately $150,000 worth of Ethereum being stolen from unsuspecting users who were redirected to a malicious phishing site hosted on a server in Russia.

TL;DR

  • MyEtherWallet users lost roughly $150,000 in Ethereum after a coordinated BGP and DNS hijacking attack
  • Attackers exploited internet infrastructure, compromising an upstream ISP to redirect traffic through Amazon Route 53 DNS
  • The phishing site was hosted on a Russian server and used a self-signed SSL certificate as the only warning sign
  • Amazon Web Services confirmed its own systems were not compromised; the attack originated from Ohio-based ISP eNet
  • Security researchers called it the largest-scale attack combining both BGP and DNS vulnerabilities

How the Attack Unfolded

The incident began around midnight Eastern Time on April 24, when MEW users started noticing something unusual. Upon connecting to the service, they were presented with an unsigned SSL certificate — a broken link in the site verification chain that many web users routinely click through without much thought.

Anyone who accepted the certificate warning was silently redirected to a malicious server in Russia. This fake version of MyEtherWallet was designed to look identical to the legitimate service, but once users entered their private keys, the attackers immediately drained their wallets.

Blockchain records from the attacker wallet (0xb3aaaae47070264f3595c5032ee94b620a583a39) showed that the thieves made off with at least $13,000 during the roughly two-hour window before the attack was shut down. However, the total damage was estimated at around $150,000. Notably, the attacker wallet already contained more than $17 million in Ethereum before the attack, suggesting this was far from their first operation.

Breaking Down Internet Infrastructure

What made this attack particularly concerning was the method of execution. The attackers did not compromise MyEtherWallet itself. Instead, they exploited fundamental weaknesses in how internet traffic is routed — specifically targeting the Border Gateway Protocol (BGP) and the Domain Name System (DNS).

MyEtherWallet uses Amazon Route 53 for its DNS service. The attackers managed to compromise an upstream internet service provider — identified as Ohio-based eNet — and used that access to announce a subset of Route 53 IP addresses to other peered networks. These networks, unaware of the hijack, accepted the false routing announcements and directed a portion of MEW traffic to the phishing server.

Security researcher Kevin Beaumont described the attack as the largest scale combination of BGP and DNS exploits he had witnessed, underscoring the fragility of internet security at its most fundamental level.

Amazon and Equinix Respond

Amazon Web Services moved quickly to clarify that its own infrastructure had not been breached. In an official statement, AWS emphasized that neither AWS nor Amazon Route 53 were hacked or compromised. The attack vector was an upstream ISP that was itself compromised, allowing the malicious actor to propagate false routing information across the internet.

Equinix, the data center provider whose Chicago facility was implicated in the attack, also issued a statement clarifying that the server used was customer equipment deployed at one of their IBX data centers — not Equinix-owned infrastructure. The company noted that they generally do not have visibility or control over what their customers do with their equipment.

MyEtherWallet Community Response

MyEtherWallet confirmed the attack in an official statement on Reddit, advising users to run a local offline copy of the wallet as a precaution. MEW was careful to point out that the breach was not due to any vulnerability in their platform, but rather a result of hackers exploiting public-facing DNS servers — a technique that has been used for decades to target organizations of all sizes, including major banks.

For users who lost funds in the attack, there was unfortunately no recourse. Transactions on the Ethereum blockchain are irreversible, and the stolen funds had already been consolidated into the attacker wallet. The incident served as a stark reminder of the importance of verifying SSL certificates and using hardware wallets or offline solutions for storing significant cryptocurrency holdings.

Why This Matters

This attack was a watershed moment in cryptocurrency security, demonstrating that even the most fundamental internet infrastructure — the protocols that route traffic and resolve domain names — can be weaponized against crypto users. With Ethereum trading at approximately $708 on this date and Bitcoin near $9,697, the cryptocurrency market was in the midst of a significant recovery, making wallet security more critical than ever. The MEW incident underscored the urgent need for DNSSEC and HSTS implementation across the crypto ecosystem, and it served as a wake-up call for both service providers and individual users about the sophistication of attacks targeting digital assets.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always verify website certificates and consider using hardware wallets for cryptocurrency storage.

🌱 FOR BUSINESSES BitcoinsNews.com
Reach 100K+ Crypto Readers
Sponsored content, press releases, banner ads, and newsletter placements. Put your brand in front of Bitcoin's most engaged audience.

18 thoughts on “MyEtherWallet Users Lose $150,000 in Sophisticated BGP and DNS Hijacking Attack”

  1. $150K stolen through a BGP hijack and the only warning was a self-signed cert. terrifying how fragile internet routing is

    1. if your ISP gets compromised there’s nothing you can do as an end user. HTTPS can’t save you from BGP attacks. people don’t get this

      1. exactly. BGP hijacking bypasses the entire trust model HTTPS relies on. your browser shows green but youre talking to an attacker

        1. BGP is from the 1980s and still has zero built-in authentication. this attack vector working in 2026 is embarrassing

          1. RPKI exists but adoption is still patchy in 2026. major ISPs do it, tier 3 providers dont bother. the MEW attack would still work against the right path today

          2. route_filter_

            bgp_witch_ RPKI deployment is better now but tier 3 ISPs still ignore it. any routing attack targeting the right upstream still works in 2026. we just got lucky nobody tried it at scale again

          3. route_filter_ agreed on RPKI. tier 3 ISPs are the weak link and nobody pressures them. the MEW attack would still work against the right upstream

    2. a self-signed cert was the only red flag and most people click through those without reading. terrifying attack surface

  2. eNet, some Ohio ISP, was the weak link. one small provider and MEW users are sending ETH to a Russian server. wild

    1. Ingrid S. same here. hardware wallet after the MEW incident. watching that attack unfold in real time on twitter was the push i needed

  3. the self-signed cert was the ONLY warning and people still clicked through. browsers need to make cert errors blocking, not dismissable warnings. the UX is fundamentally broken

  4. bgp was designed in the 80s with zero authentication and we are still routing the entire internet through it in 2026. mind boggling

  5. Amazon Route 53 being compromised through an upstream ISP is the scariest part of this. you cannot defend against your DNS provider getting hijacked at the BGP level. hardware wallets are the only answer

  6. self-signed cert warning and people still clicked through. education wont fix this, infrastructure has to

    1. Magnus E. education has a ceiling but so does infrastructure. RPKI should be mandatory and ISPs that dont implement it should face liability. band-aid fixes wont solve protocol-level design flaws from the 80s

    2. a self signed cert was the only warning and people clicked through it. browsers treating cert errors as dismissable is the real UX failure

    3. people still click through cert warnings in 2026. education is necessary but it has a ceiling. the UX of security is the real bottleneck

Leave a Comment

Your email address will not be published. Required fields are marked *

BTC$62,409.00+1.8%ETH$1,746.15+2.4%SOL$81.97+1.3%BNB$571.52+2.2%XRP$1.13+4.1%ADA$0.1772+6.6%DOGE$0.0767+2.7%DOT$0.8722+2.9%AVAX$6.88+0.6%LINK$7.91+1.9%UNI$3.18-0.8%ATOM$1.60+2.2%LTC$44.20+1.4%ARB$0.0808+4.2%NEAR$2.01+3.1%FIL$0.7996+2.3%SUI$0.7587+2.9%BTC$62,409.00+1.8%ETH$1,746.15+2.4%SOL$81.97+1.3%BNB$571.52+2.2%XRP$1.13+4.1%ADA$0.1772+6.6%DOGE$0.0767+2.7%DOT$0.8722+2.9%AVAX$6.88+0.6%LINK$7.91+1.9%UNI$3.18-0.8%ATOM$1.60+2.2%LTC$44.20+1.4%ARB$0.0808+4.2%NEAR$2.01+3.1%FIL$0.7996+2.3%SUI$0.7587+2.9%
Scroll to Top