Email service provider MailerLite was the victim of a phishing attack, and the target was the crypto market, the company notified Decrypt on Tuesday.

According to an email alert from the company, the attack happened after a support team member clicked a deceptive link, entered their Google credentials, and confirmed the second-factor challenge—giving hackers access to Mailerlite’s internal system.

“Upon gaining access, the perpetrators executed a password reset for a specific user on the admin panel, further consolidating their unauthorized control,” Mailerlite said. “With this level of access, they were able to impersonate user accounts. The focus was exclusively on cryptocurrency-related accounts.”

Mailerlite says 117 accounts were accessed by the perpetrators, adding that a small number of the accounts were used to launch phishing campaigns using the available names, email addresses, and whatever personal information was uploaded to the service.


According to internet sleuth ZachXBT, affected accounts included CoinTelegraph, Wallet Connect, Token Terminal, and De.Fi. Decrypt was also notified that its account was accessed, but according to Mailerlite, no emails were sent from the system, nor was its contacts list exported.

As the hackers were able to wrap their malicious links in the familiar templates of Mailerlite customers, over $580,000 was stolen, ZachXBT said. He also shared the address to which the ill-gotten funds were sent.

Web3 security firm Blockaid put the total haul at over $600,000.


“When MailerLite became aware of the incident, MailerLite successfully identified and resolved the issue, terminating the access method used by the perpetrators to infiltrate the platform,” MailerLite said. “MailerLite can confirm that the breach was fully stopped.”

On Wednesday, blockchain analytics platform Nansen revised the figure to $3.3 million—but with a giant asterisk.

"We see about $3.3M in total inflows into the main phishing wallet, 0xe7D13137923142A0424771E1778865b88752B3c7 (on Nansen supported chains)," the platform told Decrypt. "But 2.6M of that number is XBANKING token, which seems to be trading on LATOKEN exchange only (via Coingecko). And seem less liquid. 2.6M is 80% of its FDV, and it could be hard to convert it.

"Without the XBANKING token taken into consideration, it's around 700k in total inflows," Nansen concluded.

Mailerlite said the company continues to monitor the situation.

“We will also make the necessary changes to our internal processes, addressing any employees who have not adhered to these processes and focusing on better security training,” the company said.

Editor's note: this article has been updated to reflect additional estimates of the value stolen in the hack. Edited by Ryan Ozawa.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.