EigenLayer: The theft of 1.67 million EIGENs was caused by external malicious attacks, and new security and process measures have been implemented

Odaily News SlowMist posted on X that it was commissioned as an independent third party to investigate the recent incident that resulted in the theft of 1.67 million EIGEN. After a thorough investigation, SlowMist concluded that the incident originated from an external malicious attack: an investor of Eigen Labs fell victim to a phishing attack, which resulted in the intrusion of the email account of an employee of the investor. This enabled the attacker to access an email thread between the investor, Eigen Labs, and the custodian, where the two parties discussed the transfer of EIGEN to the custodian, who would hold the tokens on behalf of the investor. This email thread was forwarded from the investor's email to the attacker. The attacker created and used forged (slightly altered) email addresses for the investor and the custodian, then impersonated the investor and responded to a legitimate email ID, causing the response to appear in the same legitimate email thread, containing the attacker's wallet address instead of the expected custodian wallet address. The attacker used a forged investor email address in the same email thread to confirm receipt of the test transaction. Similarly, the attacker separately confirmed receipt of the test transaction via a forged custodian email address. All of this appeared in the same thread as the initial legitimate thread. After receiving confirmation from what appeared to be an investor and custodian, but was actually a nearly identical fraudulent email address, there was no further communication channel confirmation and the remaining approximately 1.67 million EIGEN were sent to the attacker's wallet. EigenLayer reiterated that the incident did not affect the official website, any protocol or token smart contract, and was not related to any on-chain functionality. Its internal investigation included a thorough review of the token transfer approval process to assess any process errors that led to this incident and determine what improvements are needed to minimize future risks. In response to this incident, the team implemented new security and process measures and will continue to strengthen systems and defenses. Once investors transfer tokens to custodians, each custodian will implement a lock on all investor tokens, which is a common practice.