ENS founder warns of Google spoof that tricks users with a fake subpoena
The founder and lead developer of Ethereum Name Service has warned his X followers of an “extremely sophisticated” phishing attack that can impersonate Google and trick users into giving out login credentials. The phishi...
Archive context
Older archive item. Useful for background and entity history, but not a fresh market-moving signal.
The founder and lead developer of Ethereum Name Service has warned his X followers of an “extremely sophisticated” phishing attack that can impersonate Google and trick users into giving out login credentials.
The phishing attack exploits Google’s infrastructure to send a fake alert to users informing them that their Google data is being shared with law enforcement due to a subpoena, ENS’ Nick Johnson said in an April 16 post to X.
“It passes the DKIM signature check, and GMail displays it without any warnings - it even puts it in the same conversation as other, legitimate security alerts,” he said.
The fake subpoena appears to be from a Google no-reply domain. Source: Nick JohnsonAs part of the attack, users are offered the chance to view the case materials or protest by clicking a support page link, which uses Google Sites, a tool that can be used to build a website on a Google subdomain, according to Johnson.
“From there, presumably, they harvest your login credentials and use them to compromise your account; I haven’t gone further to check,” he said.
The Google domain name makes the email appear legitimate, but Johnson points out there are still clear signs it’s a phishing scam — such as it being forwarded from a private email address.
Scammers exploit Google systemsIn an April 11 report, software firm EasyDMARC explained that the phishing scam works by weaponizing Google Sites.
Anyone with a Google account can create a site that looks legitimate and is hosted under a trusted Google-owned domain.
They also use the Google OAuth app, where the “key trick is that you can put anything you want in the App Name field in Google,” and use a domain via Namecheap that allows them to “put no-reply@google account as From address and the reply address can be anything.”
Source: Nick Johnson“Finally, they forward the message to their victims. Because DKIM only verifies the message and its headers and not the envelope, the message passes signature validation and shows up as a legitimate message in the user’s inbox — even in the same thread as legit security alerts,” Johnson said.
Google deploying countermeasures soonSpeaking to Cointelegraph, a Google spokesperson said they are aware of the issue and are shutting down the mechanism that attackers are using to insert the “arbitrary length text,” which will prevent the method of attack from working in the future.
Related: Hackers hide crypto address-swapping malware in Microsoft Office add-in bundles
“We’re aware of this class of targeted attack from the threat actor, Rockfoils, and have been rolling out protections for the past week. These protections will soon be fully deployed, which will shut down this avenue for abuse,” the spokesperson said.
“In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.”The spokesperson added that Google will never ask for any private account credentials — including passwords, one-time passwords or push notifications, nor call users.
Magazine: Your AI ‘digital twin’ can take meetings and comfort your loved ones
Why this matters
This cryptocurrency story adds another data point to the current market tape and is useful when read alongside nearby source coverage.
Original source
Read on CointelegraphRelated market context
Argentina Freezes 25 Crypto Accounts: Investigation of LIBRA Memecoin
Key Takeaways: Argentine authorities froze 25 crypto wallets linked to the LIBRA token and requested user data from major exchange...
Airbnb CEO says X account was hacked, attacker posted AI-slop on tokenization
Brian Chesky regained control of his account and told any new crypto followers he would be a "disappointing follow".
BTCC Exchange Q2 2026 Growth Report: TradFi Volumes Triple, 12M Users Reached as Exchange Marks 15 Years
George Town, Cayman Islands, July 17th, 2026, Chainwire BTCC, the world’s longest-serving cryptocurrency exchange, today released...
Binance Unveils 3x bStocks Volume Boost, Giving Affiliates a Fast Track to 50% Rewards
Key Takeaways: Through Oct.15, Binance has limited-time 3x trading volume multiplier on bStocks for Affiliate Spot Evaluations. Al...
Trusted Volumes Hacker Returns 1,122 ETH, Keeps $2M Bounty
A hacker tied to the Trusted Volumes exploit has returned 1,122 ETH to the protocol, closing part of a security incident that bega...
Google Gemini AI Reveals Shocking Solana Price Target for 2026
Google Gemini AI predicts a Solana price target that skips the usual talking points and goes straight to a number that made us pau...