- The founder of Ethereum Name Service has warned of an “extremely sophisticated” phishing attack
- Malicious actors claim that Google has been subpoenaed to share users’ data with law enforcement
- The goal is to steal victims’ email login details and later drain their wallets
The founder of Ethereum Name Service (ENS), Nick Johnson, has warned his X followers of about a highly complicated phishing attack impersonating Google. Johnson revealed that the attack involves sending Gmail users an email claiming that the tech giant has been subpoenaed to share a copy of users’ “Google Account content” with law enforcement agencies. They then ask victims to visit a link to either “examine the case materials or take measures to submit a protest,” a trick that leads to users disclosing their login information and having their wallets drained.
Genuine Google Infrastructure Misused
According to the ENS founder, the attack’s sophistication comes from the fact that it rides on genuine Google infrastructure, passes Google’s security check, and “Gmail displays [the email alerts] without any warnings.” He added that Gmail considers the phishing emails to be “legitimate security alerts.”
Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here. It exploits a vulnerability in Google’s infrastructure, and given their refusal to fix it, we’re likely to see it a lot more. Here’s the email I got: pic.twitter.com/tScmxj3um6
— nick.eth (@nicksdjohnson) April 16, 2025
Johnson also disclosed that the link provided takes a victim to a page that closely resembles an actual Google “support portal page.” The site even uses Google’s domain name but with some additions in the link “because they know people will see the domain […] and assume it’s legit.”
The ENS founder noted that the attackers can use a close resemblance of the real Google domain because of “vulnerabilities in Google’s infra[structure].” He added that exploiting these vulnerabilities also favors the attackers because “there’s no way to report abuse from the Sites interface.”
Attackers Unleash Other Tricks
This comes a day after reports emerged that scammers are purchasing abandoned DeFi websites and attaching wallet drainers to nab former users returning to withdraw funds. It also comes when malicious actors are expanding their tricks to include cracking popular crypto software and offering them for free, and sharing wallet seed phrases to bait victims.
With scammers using less-suspicious ways to bait victims, they’re likely to pocket more funds in 2025 and beyond.
