--- title: "Threat Actors use NameCheap’s Email to Execute Metamask and DHL Phishing Attacks. | Phish Protection" description: "Threat Actors use NameCheap’s Email to Execute Metamask and DHL Phishing Attacks.: The recent security breach and phishing campaign that occurred at." image: "https://phishprotection.com/og/blog/threat-actors-use-namecheaps-email-to-execute-metamask-and-dhl-phishing-attacks.png" canonical: "https://phishprotection.com/blog/threat-actors-use-namecheaps-email-to-execute-metamask-and-dhl-phishing-attacks/" --- Quick Answer The recent security breach and phishing campaign that occurred at Namecheap, a domain registrar, serves as a stark reminder of the persistent and evolving threats posed by \[cybercriminals\](/blog/cybercriminals-are-duping-millions-of-accounts-in-the-latest-facebook-phishing-campaign/). In this post, we will delve into the details of the breach and the phishing campaign and offer some essential tips to help \*\*protect against phishing scams\*\*. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fthreat-actors-use-namecheaps-email-to-execute-metamask-and-dhl-phishing-attacks%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Threat%20Actors%20use%20NameCheap%26%238217%3Bs%20Email%20to%20Execute%20Metamask%20and%20DHL%20Phishing%20Attacks.&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fthreat-actors-use-namecheaps-email-to-execute-metamask-and-dhl-phishing-attacks%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fthreat-actors-use-namecheaps-email-to-execute-metamask-and-dhl-phishing-attacks%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fthreat-actors-use-namecheaps-email-to-execute-metamask-and-dhl-phishing-attacks%2F&title=Threat%20Actors%20use%20NameCheap%26%238217%3Bs%20Email%20to%20Execute%20Metamask%20and%20DHL%20Phishing%20Attacks. "Share on Reddit") [ ](mailto:?subject=Threat%20Actors%20use%20NameCheap%26%238217%3Bs%20Email%20to%20Execute%20Metamask%20and%20DHL%20Phishing%20Attacks.&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fthreat-actors-use-namecheaps-email-to-execute-metamask-and-dhl-phishing-attacks%2F "Share via Email") ![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2023/09/Phishing-Attack-Statistics.png) The recent security breach and phishing campaign that occurred at Namecheap, a domain registrar, serves as a stark reminder of the persistent and evolving threats posed by [cybercriminals](/blog/cybercriminals-are-duping-millions-of-accounts-in-the-latest-facebook-phishing-campaign/). In this post, we will delve into the details of the breach and the phishing campaign and offer some essential tips to help **protect against phishing scams**. The web hosting company and domain registrar Namecheap recently suffered a\*\* security breach\*\* when its email account was hacked. This breach resulted in a phishing campaign that targeted the\*\* cryptocurrency wallet MetaMask\*\* and the logistics company DHL, intending to obtain personal and cryptocurrency wallet information from susceptible users. The [phishing emails](/content/protection-from-phishing/how-to-stop-phishing-emails) were sent out around 4:30 PM ET and originated from SendGrid, an email platform that Namecheap had used in the past for **marketing emails** and renewal notices. ![Phishing Attack Statistics](https://media.mailhop.org/phishprotection/images/2023/09/Phishing-Attack-Statistics.png) ### Phishing Emails The phishing emails used in the campaign impersonated DHL and MetaMask. The DHL phishing email appeared to be a bill for a delivery fee needed to complete the package delivery. The embedded links in the email directed users to a fake phishing page where the attackers aimed to steal the targets’ information. Meanwhile, the MetaMask phishing email was designed to appear as a required KYC verification message to **prevent wallet suspension**. The email included a marketing link from Namecheap that redirected users to a phishing page pretending to be MetaMask. This page prompted users to enter their “**Secret Recovery Phrase**” or “Private Key.” Once a user provides either the recovery phrase or private key, the [threat actors](/phishing-awareness/threat-actors-using-phishing-as-a-service-phaas) could use them to import the wallet to their devices and steal all the funds and assets. After several recipients voiced their complaints on Twitter, Namecheap’s **CEO Richard Kirkendall** confirmed that the account was compromised and that they had disabled the email through SendGrid while they conducted an investigation. ### What are Phishing Emails? > “Zero-day phishing URLs have an average lifespan of just 12 hours before they’re added to blocklists. During that window, traditional signature-based filters are blind. Our real-time behavioral analysis catches these threats by pattern, not by signature - which is how we detect attacks that no database has seen yet.” - **Adam Lundrigan**, CTO, DuoCircle Phishing emails are deceptive emails that deceive recipients into\*\* sharing sensitive information\*\* like login credentials, credit card numbers, or other personal information. Phishing emails often appear to be from legitimate sources, such as a bank or a company that the recipient is familiar with, and may use a variety of tactics to make the email appear more convincing, such as including official logos or using a tone of urgency . [Phishing attacks](/resources/7-most-common-phishing-attacks-and-learning-to-protect-against-them) can take various forms, such as [spear-phishing](/content/spear-phishing-prevention), where the attacker targets a specific individual or group, or whaling, where the attacker targets a **high-profile individual**, such as a CEO or a government official. Social engineering tactics and machine learning algorithms have been increasingly used in phishing attacks in recent years to personalize email content and make them **harder to detect**. The[latest research](https://blog.checkpoint.com/2023/01/05/38-increase-in-2022-global-cyberattacks/)by Checkpoint highlights a significant surge in cyberattacks on corporate networks worldwide. Shockingly, the number of cyberattacks increased by an alarming 38% per week in 2022 compared to the previous year. This worrisome trend is further exacerbated by multiple cyber threat factors occurring simultaneously. The threat landscape posed by [ransomware](/content/protection-against-ransomware/what-is-ransomware) is evolving at a rapid pace. Cybercriminals have expanded their focus and are now targeting widely-used **business collaboration tools** like _Slack, Teams, OneDrive, and Google Drive_ to launch phishing attacks and gain access to sensitive data. These groups are well-organized, highly skilled, and capable of developing and deploying advanced techniques to evade detection, bypass security controls , and infiltrate targeted systems. As these groups become more refined in their methods, techniques, and procedures, their attacks are becoming increasingly difficult to thwart, requiring the implementation of more advanced and **multifaceted defensive strategies**. ### Namecheap’s Response to the Recent Attack In a statement released on Sunday night, Namecheap clarified that their own systems were not breached, but rather the[ phishing](/resources/what-is-phishing) incident was related to an upstream system used for email. Namecheap suspended all email services, including [two-factor authentication](https://www.techtarget.com/searchsecurity/definition/two-factor-authentication) code delivery, trusted devices’ verification, and **password reset emails**, as a precautionary measure. The company initiated an investigation in collaboration with its upstream provider to determine the source of the attack. By 7:08 PM EST , services were restored. Namecheap has not explicitly mentioned the name of the compromised upstream system. However, the\*\* CEO of Namecheap\*\* had previously tweeted that the company was using SendGrid, which was also confirmed in the headers of the phishing emails. Interestingly, Twilio SendGrid, the email service provider, denied any hack or compromise of their systems in relation to Namecheap’s incident, creating more confusion about the cause of the breach. ### Protecting Yourself from Phishing Scams: Essential Tips Phishing scams are a major threat in the cybersecurity world, and it’s essential to take proactive steps to protect yourself and your organization. The following are some essential tips to keep in mind: - **\_Be cautious of unsolicited emails asking for personal information: \_**Phishing emails often appear to come from legitimate sources but are actually from fake or spoofed email addresses . Therefore, it is critical to double-check the sender’s address before providing any personal information . - **_Exercise caution when clicking on links or downloading attachments included in phishing emails:_**Links or attachments in phishing emails can contain [malware](https://cyware.com/category/malware-and-vulnerabilities-news) or take you to a fake website designed to steal your information. It is vital to exercise caution and avoid interacting with any suspicious emails or links. - **\_Watch out for urgent or threatening language: \_**Phishing scams frequently employ tactics that induce a feeling of\*\* urgency or panic\*\*, with the intention of pressuring individuals to take swift action without careful consideration. Be cautious of any emails that use such language, and double-check the sender’s legitimacy. - **\_Use two-factor authentication (2FA): \_**To enhance your online security, it is advisable to enable two-factor authentication (2FA) for all your accounts. It can help prevent unauthorized access even if a scammer has obtained your login credentials. It’s important to set up 2FA wherever possible to enhance the security of your accounts. - **\_Keep your software updated: \_**Software updates often include security patches that can protect against known vulnerabilities that scammers may exploit. Therefore, it’s essential to keep your software up to date and ensure that all security patches are applied. - **_Use anti-virus and anti-malware software on your devices:_**Installing anti-virus and **anti-malware software** on your device can aid in identifying and eliminating any potentially malicious software that may be installed on your device. It’s crucial to use such software and keep it up to date to protect against potential cyber threats. - **\_Get educated on phishing scams: \_**Phishing scams can be sophisticated, and it’s crucial to stay informed about the latest tactics used by scammers. Educate yourself and your employees about phishing scams and how to identify and avoid them. This can help prevent potential security breaches and [protection from phishing](/). ![Anti phishing solutions](https://media.mailhop.org/phishprotection/images/2023/02/anti-phishing-solutions-8463.jpg) ### Final Words The Namecheap email breach is a timely reminder of the importance of maintaining **good cyber hygiene** and being vigilant regarding online security. Taking proactive measures to protect yourself and your organization from phishing scams is essential. Following the essential tips outlined in this blog can help reduce the risk of becoming a victim of a phishing scam and keep your personal information and assets safe. _Remember, staying informed, remaining cautious, and practicing good cyber hygiene are critical to staying safe in the digital world._ ## Topics [ Cybersecurity ](/tags/cybersecurity/)[ Phishing ](/tags/phishing/)[ Phishing Awareness ](/tags/phishing-awareness/) ![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Protect your inbox from phishing attacks Real-time email security with 60-day free trial. No credit card required. [Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) ## Related Articles [ Intermediate 5m American Airlines Suffers Employee Email Data Breach, Personal Information at Risk Oct 4, 2022 ](/blog/american-airlines-suffers-employee-email-data-breach-personal-information-risk/)[ Intermediate 5m BitRAT Malware Threat Actors Leveraging Stolen Columbian Cooperative Bank Data in Phishing Campaign Jan 18, 2023 ](/blog/bitrat-malware-threat-actors-leveraging-stolen-columbian-cooperative-bank-data-in-phishing-campaign/)[ Intermediate 5m Find Out About the Latest Case of Threat Actors Utilizing Phishing-as-a-Service to Steal $120,000 Feb 20, 2023 ](/blog/find-out-about-the-latest-case-of-threat-actors-utilizing-phishing-as-a-service-to-steal-120000/)[ Intermediate 5m GoDaddy Customers Beware: Hackers Have Been Stealing Source Code for Years Mar 6, 2023 ](/blog/godaddy-customers-beware-hackers-have-been-stealing-source-code-for-years/) ```json {"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"Threat Actors use NameCheap’s Email to Execute Metamask and DHL Phishing Attacks.","description":"Threat Actors use NameCheap’s Email to Execute Metamask and DHL Phishing Attacks.: The recent security breach and phishing campaign that occurred at.","url":"https://phishprotection.com/blog/threat-actors-use-namecheaps-email-to-execute-metamask-and-dhl-phishing-attacks/","datePublished":"2023-02-27T09:27:42.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2023-02-27T09:27:42.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/threat-actors-use-namecheaps-email-to-execute-metamask-and-dhl-phishing-attacks/"},"articleSection":"intermediate","keywords":"Cybersecurity, Phishing, Phishing Awareness","wordCount":1235,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2023/09/Phishing-Attack-Statistics.png","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://phishprotection.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Threat Actors use NameCheap’s Email to Execute Metamask and DHL Phishing Attacks.","item":"https://phishprotection.com/blog/threat-actors-use-namecheaps-email-to-execute-metamask-and-dhl-phishing-attacks/"}]} ```