This is an excerpt. To hear the full interview, please click the Soundcloud or Youtube links.
Over the past year, MyEtherWallet has grown from a passion project to a full-fledged firm. The wallet’s simple and efficient user interface is often one of the first things that Ethereum -based token holders interact within the crypto space.
Last week, MyEtherWallet was the target of an elaborate phishing scheme that resulted in the theft of roughly 216 ETH.
Kosala Hemachandra, the founder of MyEtherWallet, spoke with Finance Magnates about the Phishing attack, cybersecurity in the crypto space, and the future of MyEtherWallet.
Last Tuesday’s Unpleasant Phishing Trip
So what happened? “In layman’s terms, someone broke the internet to phish MyEtherWallet,” Kosala said. Essentially, what happened was that a major server was compromised so that users who were trying to reach the MyEtherWallet site were redirected to a fake duplicate site.
“For two hours, all the [MEW] traffic that goes through Amazon servers was redirected to a server in Russia,” Kosala said. The problem happened “within the core system of the internet structure.”
⅕ Google Domain Name System registration servers were hijacked earlier today at roughly 12PM UTC so that MEW users were redirected to a phishing site. This redirecting of DNS servers is a decade-old hacking technique that aims to undermine the Internet’s routing system.
— MyEtherWallet.com (@myetherwallet) April 24, 2018
“We can only mitigate, and we can only make it harder for people to do things like this, but I honestly don’t think there’s a hundred-percent complete fix that will come out within the foreseeable future,” he explained.
No Legal Action Yet; Reimbursement May Happen if MEW Feels it Was Responsible in Some Way
He went on to say that as of the time of the interview (which was Thursday, April 26th), no law enforcement officials had been involved in the wake of the phishing attack.
However, MyEtherWallet has begun exploring ways to prevent something similar from taking place in the future. “I’m talking with security researchers. This shouldn’t be happening--like, this is way bigger than MyEtherWallet. It can happen to any website out there.”
“I’m pretty sure at some point in time, there will be some investigations. I can either personally get involved or someone will start an investigation on what exactly happened, and how to prevent it, and who the responsible groups are. But as of now, I’m not aware of anything that’s going on” in terms of legal action and law enforcement, he said.
As of yet, there also are not any plans to reimburse users whose funds were stolen. This is “because all of the affected users went through a security warning when they went to MyEtherWallet.com saying ‘hey, this security certificate is invalid, do you still want to proceed?’”
We have *NOT* been hacked. Anyone saying otherwise is a phisher / believed a phisher. Stay wary of links. Stay safe.https://t.co/Jgg5WlyjT2
— MyEtherWallet.com (@myetherwallet) July 21, 2017
Kosala said that he believes that even more damage would have been done if the warning hadn’t been there. “I think most of our users were clever and they didn’t continue to MyEtherWallet” because of the educational measures that MEW has taken.
However, “we are gathering more information from users on exactly what happened--what they did, and how it looked like, and all that information. [Reimbursing] is not something we’re planning to do because of all these things that happened, and they did get a warning. But, yeah, if the community reaches out to us and they think that it’s our fault in a way, that’s something we can look into for sure.”
Preventative Measures
The truth is, “we are having an enormous amount of phishing attacks every single day,” explained Kosala. “There are so many domain names similar to MyEtherWallet--last time I checked I think it was like 6500+.”
“This is why we’re making [something that can be compared to] a hardware wallet, but it’s on your phone. It’s free to download and to use. It’ll create a peer-to-peer connection with MyEtherWallet and your which will be secured and encrypted, and your private key will never leave your phone.”
“Whenever you try to send a transaction, a notification will pop up on your phone to ask you ‘hey, do you actually want to send this transaction?... You will have the ability to either decline or accept,” Kosala added. He also explained that MyEtherWallet is trying to come up with a plan to make the phone-based wallet unavailable for malicious sites.
Even so, if users don’t confirm a transaction from their phones, the transaction won’t go through.
Kosala’s best advice for staying safe in the crypto space? “The cryptocurrency space is not any different from real life. Just like there are bad people in real life, there are bad people in the cryptocurrency world. So, you have to listen to yourself.”
5/5 To keep up this fight against this criminal phishing attack, we need our amazing community to support and educate each other - this is an ongoing battle that requires us all to stick together.
— MyEtherWallet.com (@myetherwallet) April 24, 2018