Early in the morning of March 27, hackers impersonating Decrypt sent an email to our newsletter subscribers announcing a fictitious token airdrop. As soon as we got wind of the phishing attempt, we sent a follow-up email notifying our readers of the scam.
However, in our haste to warn our subscribers, and because of a similar phishing attempt that occurred in January, we incorrectly blamed our email service provider, MailerLite, for this attack. In fact, the hackers had apparently obtained our password key to the service from someone on Decrypt’s side—MailerLite was not at fault.
“Due to security reasons, MailerLite does not store information on API keys, therefore, it is not possible to access it in MailerLite’s admin panel or the account in general,” a MailerLite spokesperson told us today. “It means that even though Decrypt Media’s account was affected during the data breach that happened at MailerLite on the 23rd January, 2024, perpetrators were not able to access API keys that could lead to sending of phishing campaigns on 27th March, 2024.”
So shame on us for jumping to the wrong conclusion, and we sincerely apologize to MailerLite.
We’ve been digging into what happened and will be working with law enforcement. According to MailerLite, “the phishing campaigns were orchestrated via the MailerLite API, originating from the IP address «69.4.234.86» and utilizing the user agent «python-requests/2.31.0.» After the intruders accessed our email list, they removed any addresses that ended in decrypt.co or decryptmedia.com so that our staffers wouldn’t be immediately alerted, and sent out their bogus email.
Luckily, the vast majority of our readers are wary of these sorts of phishing attempts; only one person attempted to connect their wallet to the bogus address.
But that is one too many. As mentioned in our earlier email, crypto scams are all too prevalent in our industry, and getting more sophisticated all the time. Decrypt, along with nearly every other crypto firm, has been impersonated or otherwise used as an attack vector. Hackers have even gone as far as to set up entirely separate websites, fake Discord servers, and social media accounts impersonating our staff. (Note that we have only two domains: decrypt.co and decryptmedia.com—if someone directs you to another domain, beware!)