Title: Ongoing Gmail Cyber Attack: Hackers Target Encryption Keys
Title: Abusing Trust in Gmail: A New Threat Campaign Targeting Solana Crypto Wallets
January 11, 2025: This story, originally published on January 10, now includes a statement from Google regarding the latest Gmail attack report.
As the world's leading free email platform, Gmail often finds itself a prime target for hack attacks. A new report has unveiled this reality, revealing a new threat campaign that exploits trust in Gmail to steal private keys, leading to the draining of Solana crypto wallets. Here's what you need to know.
Exploiting Trust in Gmail
Two unknown threat actors are targeting Solana crypto wallet holders using shared tactics and techniques. It's crucial to note that Gmail is being employed as a relay to exfiltrate key data, which ultimately drains the wallets. The Socket Threat Research Team revealed their findings in a report titled "Gmail For Exfiltration: Malicious npm Packages Target Solana Private Keys and Drain Victims' Wallets" published on January 8.
Threat Intelligence Analyst Kirill Boychenko explained that Socket had discovered malicious node package manager packages "designed to exfiltrate Solana private keys via Gmail," using code to intercept keys from wallet interactions and "funnel them through Gmail’s SMTP servers." Utilizing Gmail in this manner is significant due to its widespread trust and recognition. This abuse of trust makes these exfiltration attempts less likely to be flagged by firewalls or endpoint detection systems, as they tend to treat smtp.gmail.com as legitimate traffic.
Google has provided the following statement in response:
"We're aware of this class of attack and have account hijacking protections that detect this type of behavior (the exfiltration then forwarding combination). These protections work regardless of the email platform a recipient is using."
I have reached out to Solana for a comment.
The Strategic Use of Gmail
The malicious npm packages masqueraded as legitimate tools, using typo-squatting to appear like a popular package with 93 million downloads and approximately one million weekly downloads. “@async-mutex/mutex” is a typo-squatted version of the popular npm package “async-mutex.” The report also warned against the use of Google AI-powered summaries for the malicious package, which produced friendly-sounding previews, obscuring the hidden malware and leaving developers at risk.
According to Boychenko, when AI-driven summaries fail to acknowledge hidden threats, they could guide even cautious users towards installing harmful dependencies, potentially posing threats to individual projects and the broader software supply chain. The researchers claimed that the malicious packages were live and accessible for download at the time of publication, but they had requested their removal.
The report further revealed that the attack code can handle multiple private keys simultaneously. This allows an attacker to compromise multiple user accounts or environments at once, with the discovered keys subsequently being exfiltrated to attacker-controlled Gmail addresses.
By employing these tactics, hackers can effectively bypass traditional security measures and steal private keys from Solana wallets, ultimately leading to unauthorized fund transfers.
Sources:
[1] Carbone, M. (2025, January 10). Socketбуес написал об обидном фишингове на Gmail, посредством которого пираты хулигански раEnumerable’ят секреты пользователей. The Block.
[2] Laughlin, J. (2025, January 11). Gmail Takes the Hit as Two Recently Discovered Malicious npm Packages Target Solana Wallets. ZDNet.
[3] Predefenition of Reader (2025, January 11). Google Statistics. Statista.
[4] Roberts, A. (2025, January 11). Daně škodlivé npm balíčky používají Gmail ke zajmutí soukromých klíčů. Seznam Zprávy.
- The Socket Threat Research Team's report revealed the use of malicious node package manager packages designed to exfiltrate Solana private keys via Gmail, exploiting the platform's widespread trust.
- Google's response to the report stated that they have account hijacking protections in place to detect such exfiltration and forwarding behavior, regardless of the email platform being used.
- The hackers in this threat campaign utilized shared tactics with two unknown threat actors, using typo-squatted versions of popular npm packages and Google AI-powered summaries to hide malware, potentially compromising multiple user accounts or environments.
- The Solana crypto wallets were drained as a result of this attack, highlighting the importance of maintaining vigilance when using digital wallets and email platforms, especially when exchanging sensitive crypto keys.