Phishing Attacks Targeting Cryptocurrency Users
As phishing attacks grow increasingly sophisticated, criminals are now leveraging Google’s infrastructure to deceive cryptocurrency users. On April 16, concerns were raised by Nick Johnson, the creator and chief developer of Ethereum Name Service (ENS), regarding a new technique employed by hackers to infiltrate Gmail accounts and thereby endanger linked crypto wallets.
Exploiting Vulnerabilities in Google’s Ecosystem
Johnson noted that these malicious actors take advantage of a vulnerability within Google’s ecosystem to send fraudulent emails that resemble legitimate security notifications from Google itself. These deceptive messages carry valid DomainKeys Identified Mail (DKIM) signatures, which allows them to sidestep spam filters and appear credible to recipients.
Redirection to Scam Sites
Once the victim opens one of these emails, they are redirected to a scammed support page that mimics Google’s interface, hosted on a subdomain of Google. On this counterfeit site, unsuspecting users are prompted to log in and upload sensitive personal information. Johnson cautioned that this could lead to stolen credentials, compromising Gmail accounts and any related services.
Red Flags and Ongoing Risks
One of the red flags is that these phishing sites utilize Google’s Sites platform, which permits the integration of custom scripts and media. While this feature is beneficial for legitimate users, it also empowers malicious actors to create highly convincing fraudulent websites. Alarmingly, there is currently no mechanism available for reporting these abuses directly via Google Sites, making it simpler for hackers to maintain their misleading pages online.
Johnson commented on the situation, stating, “Google recognized that allowing public, user-defined content on google.com posed risks long ago, yet Google Sites persists. In my opinion, they should prohibit scripts and random embedding in Sites; it presents a significant phishing risk.”
Creating Credible Communication
To bolster the credibility of their ruse, the attackers also establish a Google OAuth application that structures and disseminates phishing communications. These messages are crafted to look formal and include what seems to be contact details for Google’s Legal Support team.
Reporting the Vulnerability
In response to this alarming issue, Johnson reported that he filed a bug report with Google about the identified vulnerability. However, Google reportedly dismissed the report, stating that the features were functioning as designed and did not constitute a security flaw.
“I submitted a bug report to Google about this; unfortunately, they closed it as ‘Working as Intended’ and clarified that they do not view it as a security concern,” Johnson stated.
He nonetheless encouraged Google to re-evaluate their script and embedding capabilities to mitigate the potential for further exploitation.
Impact on the Cryptocurrency Community
This incident underscores the escalating sophistication of phishing schemes targeting the cryptocurrency community. Data from Scam Sniffer reveals that in March 2025, approximately 6,000 individuals lost around $6.37 million due to such scams, with over 22,654 reported victims experiencing losses of $21.94 million in the first quarter of the year alone.
