Key takeaways

• A sophisticated phishing attack targeted ENS users with fake Google subpoenas, exploiting trust in legal authority.
• Attackers used spoofed DNS records and legitimate-looking email headers to make fraudulent messages appear authentic.
• Victims were tricked into signing wallet transactions by threats of account suspensions and lawsuits.
• The scam highlights a growing class of “legal engineering” threats, where fake legal claims are used to drive compliance.
• ENS names, while readable and branded, also serve as public identifiers, making users easier to target than random wallet addresses.

It started with an email—clean, professional, and terrifying. Sent from what appeared to be legal@google.com, the message warned users of a subpoena related to trademark infringement. The target? Their Ethereum Name Service (ENS) domains.

This scam, highlighted by Nick Johnson, a senior developer and founder of ENS, exploits Google’s infrastructure to appear legitimate, posing a significant risk to the 1.8 billion Gmail users worldwide

The email didn’t ask for passwords or seed phrases. Instead, it led recipients to a spoofed website mimicking Google’s legal request portal. From there, users were instructed to “confirm ownership” by signing a wallet transaction. But behind the scenes, that signature triggered a smart contract function, draining their assets.

This wasn’t your average phishing attempt. The attackers used DNS spoofing, forged SPF/DKIM email headers, and even included PDF attachments with fabricated legal threats. Many victims reported seeing exact replicas of Google’s subpoena documentation, adding to the credibility of the fraud.

The entire scheme weaponized one powerful assumption: that a legal threat from a tech giant must be real. For many users, especially those operating under their real ENS identities, the fear of lawsuits or account bans was enough to comply, no matter how suspicious the situation seemed.

How The Scam Worked: Fake Legal Emails And Infrastructure Abuse

The attackers behind the Google subpoena scam executed a highly sophisticated phishing campaign that exploited both technical vulnerabilities and psychological manipulation.

• Email Spoofing and DKIM Replay: The phishing emails appeared to originate from legitimate Google addresses, such as no-reply@google.com, and passed DomainKeys Identified Mail (DKIM) authentication checks. This was achieved through a DKIM replay attack, where previously signed legitimate emails were reused to craft fraudulent messages that could bypass standard email security measures. 
• Exploiting Google Sites: Victims were directed to counterfeit support portals hosted on Google Sites—a platform that allows users to create web pages under the google.com domain. These malicious pages closely mimicked official Google support pages, complete with branding and design elements, making them appear authentic. The use of a trusted domain significantly increased the credibility of the phishing attempt.
• Credential harvesting: The fraudulent support pages prompted users to sign in to their Google accounts to view supposed legal documents. Unbeknownst to the victims, entering their credentials on these pages transmitted their login information directly to the attackers, compromising their accounts and any linked services, including cryptocurrency wallets. 

This multi-layered attack underscores the evolving tactics of cybercriminals, who now leverage legitimate platforms and sophisticated techniques to deceive users. The combination of technical exploitation and psychological manipulation made this phishing campaign particularly effective and dangerous.

Why ENS Users Were Targeted

ENS users weren’t chosen at random—they were targeted because of how visible and personalized their on-chain identities are.

Unlike random wallet addresses, ENS domains often carry real names, brands, or affiliations (like vitalik.eth or yourcompany.eth). This makes them easier to track, more trustworthy in social contexts, and perfect bait for phishing attacks.

To an attacker, an ENS name does two things:

• Reveals a user’s digital footprint—which dApps they interact with, how much crypto they hold, and what tokens they use.
• Signals credibility—making it more likely that others will trust or click links coming from that identity.

Because ENS names are tied to Web3 usernames, they create a layer of pseudo-transparency that can be used against the user. Attackers can scrape ENS name registries, find active wallets, and build custom scams that feel personal, like the fake legal threats seen in this campaign.

In short, ENS domains are both a badge of identity and a soft target. That visibility, while great for branding and UX, can backfire when bad actors are watching.

Security Lessons: How To Spot And Stop Phishing 3.0

The recent ENS-targeted phishing scam underscores the evolving sophistication of cyber threats. To safeguard against such attacks, it’s crucial to understand their mechanics and adopt proactive security measures.

Recognize the red flags:

• Unusual Sender Addresses: Even if an email appears to come from a legitimate source, scrutinize the sender’s address for inconsistencies.
• Urgent or Threatening Language: Be wary of emails that pressure you into immediate action, especially those threatening legal consequences.
• Unexpected Attachments or Links: Avoid clicking on links or downloading attachments from unsolicited emails.

Verify before you act:

• Direct communication: If you receive a suspicious email, contact the organization directly through official channels to verify its authenticity.
• Check URLs carefully: Hover over links to see the actual URL before clicking. Look for subtle misspellings or unusual domain names.

Enhance your security posture:

• Enable Two-Factor Authentication (2FA): Adding an extra layer of security can prevent unauthorized access even if your credentials are compromised.
• Use security tools: Employ reputable security software that can detect and block phishing attempts.
• Stay informed: Regularly update yourself on common phishing tactics and emerging threats.

For ENS users:

• Limit public exposure: Consider minimizing the amount of personal information linked to your ENS domain.
• Monitor activity: Regularly check your domain’s activity for any unauthorized changes or access attempts.
  

By staying vigilant and adopting these practices, you can significantly reduce the risk of falling victim to sophisticated phishing scams.

Larger Implications: Legal Engineering And The Future of On-Chain Identity

This wasn’t just a scam—it was a preview of a new category of attacks: legal engineering. Rather than brute-forcing wallets or stealing private keys, attackers used the illusion of law to pressure users into compliance.

As crypto matures, its interfaces are becoming more personal, thanks to services like ENS, Lens, and Farcaster. These tools create recognizable digital identities, but they also introduce attack surfaces shaped by trust, not code.

Fake subpoenas, impersonated law firms, and manipulated legal threats are harder to detect than malware. They feel real. And because Web3 users are often self-custodied and self-managed, they’re also more isolated, with no support desk to double-check a legal email.

The takeaway is this: Web3 identity brings great UX benefits, but also introduces new forms of social and psychological risk. Scams are evolving beyond fake tokens and airdrops. Now, they’re blending code, context, and credibility.

As modular identity systems expand, developers and users will need to build defenses not just against technical exploits, but narrative ones too.

Trust in Web3 — Still Easy To Exploit?

The recent phishing attacks targeting ENS users highlight a critical vulnerability in the Web3 ecosystem: the exploitation of trust. As decentralized technologies evolve, so do the tactics of malicious actors who seek to undermine them.

Web3 aims to eliminate the need for intermediaries, placing trust in code and decentralized protocols. However, this shift doesn’t eradicate the human element. Users still rely on interfaces, domain names, and perceived authority figures, making them susceptible to social engineering attacks.

ENS domains, while enhancing user experience by replacing complex wallet addresses with readable names, inadvertently introduce new attack vectors. These human-readable identifiers can be easily targeted, as they often correlate with public personas or brands, making phishing attempts more convincing.

The Path Forward

To enhance trust within the Web3 ecosystem, several key strategies are essential. First, implementing rigorous verification systems is crucial to enable users to confidently distinguish genuine communications from fraudulent ones, reducing the risk of deception. 

Additionally, providing continuous user education on potential risks and safe practices is vital, encouraging individuals to approach unsolicited messages, particularly those using urgency or authority—with caution. 

Furthermore, fostering collaborative efforts across the community is necessary to quickly identify and mitigate threats, with members sharing critical information about scams and vulnerabilities to strengthen collective security. By pursuing these approaches, Web3 can build a more trustworthy and resilient environment for all users.