2 months ago
8353
Betterment, a traditional investing service, was breached by crypto hackers. Thousands of users received fake push notifications and emails, promoting the classic βcrypto giveawayβ scam.
Users received the fake alerts from Bettermentβs mobile app. Others received emails promoting the giveaway scam. The fake message promised to triple usersβ cryptocurrencies. The βpromoβ was valid for three hours.
Crypto attackers impersonate Betterment
The email instructed users to deposit as little as $1 or up to $750,000 in Bitcoin or Ether. The mobile app notification said, βFor example, if you send $10,000 in Bitcoin or Ethereum, weβll send you right back $30,000 to your sending Bitcoin or Ethereum address.β
The hackers added specific Bitcoin and Ether wallet addresses. At the time of writing, the Bitcoin wallet had received 0.14626084 BTC, or $13,290.75. The Ether wallet has a net flow of $1,779.30.
A screenshot of the fake mobile app notification. Source: X.Two hours after the breach, the Betterment team issued a warning on X and Reddit.Β On Reddit, a Betterment representative replied to a thread about the hack,Β saying, βWe apologize for the confusion. This is not a real offer from Bettermentβ¦β
On X, Bettermentβs official account explained that an unauthorized person gained access to its system. This allowed the attacker to send emails and push notifications on behalf of the company.
The company clarified, βIf you clicked on the offer notification, it did not compromise the security of your Betterment account.β Betterment reassured users, saying that βThe unauthorized access has been removed,β and an investigation has been initiated.
In a follow-up post, Betterment said the fake promo came from a third-party system. It wrote, βThis was an unauthorized message sent via a third-party system we use for marketing and other customer communications.β
Upon further inspection, the fake emails came from two inboxes belonging to e[dot]betterment[dot]com. This appears to be a subdomain of Bettermentβs main website.
A Redditor said, βI got an email about this. Everything appears to check out, headers look good, SPF, DKIM, and DMARC all passed.β This means the email was cryptographically authenticated. It was not a spoofed Gmail or a fake sender line. Bettermentβs domain approved the fake email.
Itβs unclear if user data was leaked from Bettermentβs database to the dark web. Moreover, the compromised third-party tool is unidentified yet.
The breach shows how crypto hackers no longer rely on fake websites or cold emails. Attackers now use trusted financial platforms as a means of delivery. Once a user sends crypto, the money is gone. No chargebacks, no reversals, no recovery.
If you're reading this, youβre already ahead. Stay there with our newsletter.
English (US)