So, the news of the hack of the DNS servers that MEW operates on is absolutely no secret at this point in time.
There are plenty of articles out about it at this point, so I’m not going to waste too much time rehashing the incident or giving a play by play on what occurred.
However, I will provide a brief summary as well as a few other links for those that are curious about what’s going on:
· It started earlier this morning when DNS warned that a couple of its wallets ‘might be hacked’ https://cointelegraph.com/news/myetherwallet-warns-that-a-couple-of-its-dns-servers-have-been-hacked
According to CoinTelegraph (link posted above) — approximately $150k worth of ETH was stolen in the DNS hack. More details in the screenshot from the article, posted below:
Perhaps what’s most intriguing is the fact that the MEW company tried to understate the severity of the hack while it was occurring.
Altcointoday.com, also had more insightful information on how the hack itself developed throughout the day:
His explanation of the situation can be found here:
This vulnerability appears to be one that has been exploitable for months.
This issue was shelled out in greater depth by the Blue Protocol earlier in the morning (EST; GMT-4), when this attack was taking place.
They began by giving users advice about how to retrieve their funds from their wallet without compromising its status.
As noted, MEW’s official story is that the source of the vulnerability stemmed from Google themselves and was not the fault of the MEW wallet:
Although, earlier (hours prior) they assigned the blame to Amazon’s DNS servers:
So, what’s really the truth?
It appears that Amazon is aware of this issue, and this was their rebuttal to what happened:
Although there’s no way to definitively know which side is telling the truth or not based on these statements alone, one must evaluate whether it’s more likely that companies with the economies of scale that Amazon and Google possess would’ve had their servers compromised entirely or if the ISP that the MEW uses was hacked.
It seems much more likely that the latter is true, because it is easy to fool ISPs (lazy ones) using DNS spoofing in a process called DNS Poisoning.
Here’s a link with more information re: the phenomenon — https://usa.kaspersky.com/resource-center/definitions/dns
If you’ve read through to this point, then you must be thinking to yourself, ‘Well, in either case, there’s nothing that MEW’s team could have done to prevent this, right?’
Here are a batch of tweets that were posted by the Blue Protocol on Twitter months ago in January:
Despite the fact that the Blue Protocol was 100% accurate about their claims that the MEW wallet had been compromised via an exploit of the DNS (more than likely at the same ISP via the same exact technique), the report was dismissed in the community as ‘FUD’ for some reason:
Notice the apparent conflict of interest laden within his Twitter bio. Ironic, right?
As you can see from the screenshot above, even now, there are facets of the community that seem to be in blatant denial about the nature of the hack.
What is worse is that when this issue was exposed by the Blue Protocol in January, CoinTelegraph was complicit in a hitjob piece that expressed MEW Wallet’s refutation of the Blue Protocol report.
Unfortunately, MEW was able to continue forth without the community taking the level of caution that they should have exercised before using their platform — which is one of the main reasons for why such a mass amount of funds were lost today.
MEW is a company — not some decentralized protocol like Bitcoin. Therefore, they must be held to the same standards of any company.
They were informed of the risks on their protocol via very detailed technical reports by Blue Protocol over three months ago.
Not only did they choose to ignore them and not respond entirely, they also perpetuated the idea that this was a ‘stupid lie’ and entirely false.
In doing this, they showed that they acknowledged the concerns of the Blue Protocol security team (which we now know were completely correct), and still proceeded forth without making any crucial changes to their platform.
So, what they did amounts to nothing but pure fraud at this point, and every single publication/infuencer/’developer’ in the space that RT’d, endorsed or supported the false narrative that MEW perpetuated is equally as guilty — though, not legally.
Therefore, I personally would advocate that no one ever trust the MEW protocol in any circumstance. Ever.
This company has shown that they are devoid of any moral compass or sense of responsibility to the general public and would rather push false narratives and hide behind the term ‘FUD’ rather than addressing the latent issues embedded within their infrastructure.
Click this link below if you’d like to see the full Blue Protocol Security Team Write-Up on the issue: