New MyEtherWallet Phishing Campaign Detected

A new MyEtherWallet phishing campaign has been detected that uses a convincing domain and MyEtherWallet branding to fool MyEtherWallet users into revealing their credentials and providing criminals with access to their MyEtherWallet accounts. In the first few hours of the campaign, the criminals behind the scam had obtained more than $15,000 of MyEtherWallet funds, including $13,000 from one MyEtherWallet user.

The individuals behind this campaign have registered a domain name that closely resembles the legitimate MyEtherWallet website. The domain is almost identical to the real site, and a casual glance at the URL would not reveal anything untoward. The domain uses the same design, logos, and color schemes as the genuine website.

Links to the spoofed site are being distributed in phishing emails, which advise recipients about a ‘hard fork’ update. Clicking the link in the email directs users to the spoofed site where they were required to enter their private keys and verify their ETH and token balances. Responding to the request would give the attackers access to the victims MyEtherWallet funds, allowing transfers to be made to the cybercriminals’ wallets.

The scam was uncovered by security researcher Wesley Neelen, who along with his colleague, Rik van Duijn, investigated the spoofed website, identified the source code and log files, and saw a list of compromised wallets. In total, 52.56 Ether – approximately $16,000 – had already been stolen.

The researchers submitted a request to the domain registrar requesting the spoofed domain be taken down, although at present the domain is still believed to be active. The scam has also been reported to law enforcement.

This MyEtherWallet phishing campaign shows just how important it is to stop and think before responding to any email request. Clicking on any link in an email that requires a logon should be treated as suspicious. If a request such as this is received, it is important to visit the legitimate site by entering in the URL directly into the browser rather than using any link sent via email. By visiting the genuine, users will be able to check if there is a need to update any software and if the request is genuine.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of