Cyber Incident Victim: MyEtherWallet
Date:
Apr 2018
Location:
Russia
Summary
A hacker hijacked the DNS servers of MyEtherWallet.com via a BGP route manipulation attack, redirecting users to a fraudulent phishing site designed to steal private keys and drain cryptocurrency wallets. The attackers exploited hijacked Amazon Route 53 infrastructure to reroute traffic to a server in Russia, where the fake site used a self-signed TLS certificate that triggered browser security warnings. Despite these visible errors, some users proceeded to enter credentials, resulting in the theft of approximately $160,000 worth of Ether. The service detected the hijacking and alerted users via social media while working to regain DNS control. This incident followed a pattern of similar DNS-based attacks targeting cryptocurrency platforms, highlighting vulnerabilities in internet routing infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 24, 2018, attackers executed a BGP route hijack targeting Amazon’s Route 53 DNS infrastructure, specifically announcing unauthorized routes for IP blocks 205.251.192.0/24, 205.251.193.0/24, 205.251.195.0/24, 205.251.197.0/24, and 205.251.199.0/24 from approximately 11:05 to 13:03 UTC. This manipulation redirected traffic intended for Amazon’s DNS servers to attacker-controlled systems. The hijack impacted MyEtherWallet.com, a web-based Ethereum wallet service, by altering DNS resolutions for its domain. Users attempting to access the legitimate site were instead directed to a fraudulent replica hosted on a Russian IP address. The phishing site harvested private keys from users who entered their credentials, enabling the theft of Ethereum funds. MyEtherWallet administrators detected anomalous activity and issued warnings via Twitter at 11:54 AM UTC, urging users to avoid logging in while attributing the issue to compromised DNS servers unrelated to their infrastructure.
The attacker’s phishing site utilized a self-signed TLS certificate, triggering browser security warnings that many users disregarded. Approximately 215 Ether (valued at $160,000 at the time) were stolen from victim wallets and consolidated into the attacker’s address (0x1d50588C0aa11959A5c28831ce3DC5F1D3120d29). After two hours, as MyEtherWallet regained control of its DNS records, the attacker transferred the stolen funds to another account. Oracle’s Internet Intelligence team and third-party researchers confirmed the BGP hijack’s scope, noting the involvement of AS10297 (eNet, Columbus, Ohio) in announcing the unauthorized Amazon routes. The incident mirrored prior DNS hijacks against cryptocurrency platforms like BlackWallet ($400,000 stolen in January 2018) and EtherDelta (December 2017). MyEtherWallet’s response focused on public alerts via social media and collaboration with DNS providers to restore service integrity, while the attacker’s infrastructure remained operational only during the brief hijacking window.