ONNX MFA Bypass and Political Phishing Campaigns Target Crypto Users as Dual Security Threat Escalates

The cryptocurrency ecosystem faced a dual-pronged security crisis on June 19, 2024, as politically motivated phishing campaigns targeting Trump supporters and a newly disclosed MFA bypass technique exposed the widening attack surface facing digital asset holders. With Bitcoin trading at approximately $64,960 and Ethereum at $3,559, the sheer value locked in crypto wallets makes every new vulnerability a high-stakes threat.

The Exploit Mechanics

Security researchers at EclecticIQ uncovered a sophisticated campaign leveraging the ONNX protocol to bypass multi-factor authentication on Microsoft 365 accounts. The attack vector exploits a weakness in the authentication flow that allows threat actors to intercept and relay MFA tokens in real time, effectively neutralizing what most users consider their primary line of defense against unauthorized access.

Simultaneously, cybersecurity firm Netcraft documented a surge in crypto donation scams capitalizing on the Trump campaign’s announcement that it would accept cryptocurrency donations. Fraudsters registered misspelled domains such as “donalbjtrump[.]com” and “doonaldjtrump[.]com” within hours of the campaign’s crypto announcement, creating near-identical replicas of the official donation portal.

These fake sites integrated lookalike payment processors mimicking Coinbase, Coingate, Plisio, and Oxapay, making it exceptionally difficult for donors to distinguish legitimate from fraudulent transactions. The attackers leveraged AI tools to generate convincing website copy and phishing emails, amplifying the scale and sophistication of the campaign beyond what traditional scam operations could achieve.

Affected Systems

The ONNX MFA bypass primarily targets enterprise environments using Microsoft 365 for email and document management, which includes a significant portion of crypto companies, exchanges, and blockchain startups. Once an attacker gains access to a corporate email account, they can intercept password reset links, two-factor authentication codes, and sensitive wallet information.

The Trump campaign donation scams affect individual crypto users across all major networks, including Bitcoin, Ethereum, and various ERC-20 tokens. Netcraft reported that the fraudulent domains began appearing immediately after the campaign’s crypto donation announcement, with the volume of scam sites intensifying following Trump’s federal conviction on May 31, when the campaign raised over $50 million in 24 hours.

The cross-section of these two threats is particularly concerning: attackers who successfully bypass MFA on corporate accounts could gain access to internal systems at crypto firms, while simultaneously, retail users face increasingly convincing phishing sites that leverage real-world political events as social engineering bait.

The Mitigation Strategy

For the ONNX MFA bypass, organizations should migrate from SMS-based and basic push notification authentication to hardware security keys (FIDO2/WebAuthn). These tokens are resistant to relay attacks because they cryptographically bind to the specific domain being authenticated, making interception and replay impossible.

Netcraft recommended that political campaigns and organizations accepting crypto donations implement domain monitoring services that flag suspicious registrations in real time. Additionally, users should verify donation URLs directly from official campaign channels rather than clicking links in emails or text messages.

Exchange operators and wallet providers should consider implementing address allowlisting for high-value transactions, requiring users to pre-register withdrawal addresses through a separate verification process. This creates an additional layer of protection even if an attacker compromises login credentials.

Lessons Learned

The convergence of political events and cryptocurrency creates a unique threat landscape where attackers exploit heightened emotions and urgency to bypass rational security thinking. The Trump campaign scam demonstrates that any major public announcement involving crypto can trigger an immediate wave of fraudulent activity.

The ONNX MFA bypass reinforces that traditional multi-factor authentication is no longer sufficient as a standalone security measure. Organizations handling significant cryptocurrency assets must adopt phishing-resistant authentication methods and implement zero-trust architecture principles.

Perhaps most critically, the use of AI by threat actors to generate convincing phishing content signals a fundamental shift in the economics of social engineering attacks. What previously required skilled human operators can now be automated at scale, lowering the barrier to entry for sophisticated crypto theft.

User Action Required

Individual crypto holders should immediately audit their authentication methods, switching to hardware security keys where possible. Before making any crypto donation, verify the recipient address through multiple independent sources. Enable withdrawal address allowlisting on all exchange accounts and consider using a dedicated hardware wallet for long-term storage. Organizations should conduct an immediate review of their MFA implementation, prioritizing migration to FIDO2-compatible solutions and implementing real-time domain monitoring for their brand assets.

This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making investment or security decisions.