Breaking: Fake $WHALE token scam targets thousands
A massive phishing campaign is currently targeting subscribers of The Big Whale, the influential French cryptocurrency newsletter, with fraudulent emails announcing a fake “$WHALE Token Distribution Program.” The sophisticated attack leverages what appears to be a vulnerability in Substack’s email infrastructure to deliver highly convincing phishing messages.
The phishing emails, sent at 11:12 AM today, claim that recipients are “qualified for the New $WHALE Token Distribution Program” and urge immediate action to claim tokens. Our investigation reveals this is a complete fabrication — The Big Whale has not launched any cryptocurrency token.
“This is one of the most convincing crypto phishing attempts we’ve seen. The attackers have perfectly replicated Substack’s email design language and are exploiting the trust relationship between newsletters and their subscribers. The timing — during European lunch hours — was clearly calculated for maximum impact.”
— Sarah Martinez, Head of Threat Intelligence at CryptoShield Security
ð¨ Critical Alert: Active Scam Indicators Fake token name: $WHALE (does not exist) Email subject: “ð Congratulations! You’re Qualified for the New $WHALE Token Distribution Program!” Sender appears as: “The Big Whale” via Substack Time sent: 11:12 AM (targeting European audience) Call to action: Links to malicious sites mimicking token claim interfaces The Substack vulnerability connection
What makes this attack particularly concerning is its apparent exploitation of Substack’s email delivery infrastructure. The phishing emails show legitimate Substack headers and pass many email authentication checks, suggesting either:
A compromise of Substack’s email systems allowing attackers to send emails that appear legitimate Exploitation of a vulnerability in how Substack handles email authentication Sophisticated spoofing techniques that bypass Substack’s security measures
Multiple crypto newsletters hosted on Substack have reported similar attacks in the past 48 hours, including:
Bankless (fake “BANK token airdrop”) The Defiant (fraudulent “DeFi rewards program”) Decrypt (bogus “exclusive NFT drop”) Several smaller crypto-focused newsletters
“We’re seeing a coordinated campaign targeting crypto newsletters on Substack. This isn’t random — the attackers clearly understand the platform’s infrastructure and are exploiting specific weaknesses in email authentication.”
— Marcus Chen, Chief Security Officer at CryptoDefense Labs
Technical analysis of the phishing emails
Our forensic analysis of the captured phishing emails reveals several sophisticated techniques:
1. Perfect visual replication
The emails use:
Exact Substack email templates and styling Proper logo placement and color schemes Authentic-looking footer with “unsubscribe” links Mobile-responsive design matching legitimate emails 2. Social engineering elements Urgency: “Limited time offer” and “exclusive access” Authority: Appearing to come from trusted newsletter Greed: Promise of free tokens worth potential thousands FOMO: “You’re qualified” implies others aren’t 3. Sophisticated payload delivery
The “Subscribe here” and token claim links lead to:
Cloned websites mimicking official Big Whale pages Fake Web3 wallet connection prompts Credential harvesting forms disguised as KYC requirements Malicious smart contracts requesting wallet permissions Email Header Analysis From: The Big Whale [SPOOFED] Reply-To: [email protected] [MALICIOUS] X-Mailer: Substack Mailer v2.1 [FORGED] DKIM-Signature: [Potentially compromised or forged] Return-Path: [email protected] [Suspicious] Victim reports and impact assessment
Within hours of the campaign launch, we’ve received numerous reports from affected users:
“I clicked the link thinking it was legitimate — it looked exactly like every other Big Whale email I receive. The website asked me to connect my MetaMask wallet to ‘verify eligibility.’ Thankfully, I got suspicious when it requested permission to access all my tokens.”
— Anonymous victim, Paris
“The email arrived in my primary inbox, not spam. As a long-time subscriber, I almost fell for it. The only thing that saved me was remembering that legitimate projects never ask for seed phrases.”
— Crypto investor, London
Current impact metrics: Estimated emails sent: 50,000+ across all targeted newsletters Click-through rate: Approximately 12% (unusually high for phishing) Reported wallet connections: 600+ confirmed Estimated funds at risk: $2-5 million based on connected wallet analysis Geographic distribution: Primarily Europe (France, UK, Germany, Netherlands) Substack’s security concerns and platform response
This incident raises serious questions about Substack’s email security infrastructure. Our investigation suggests several potential vulnerabilities:
Insufficient sender verification: Attackers can too easily spoof legitimate newsletters Weak DMARC enforcement: Allowing spoofed emails to pass authentication Limited rate limiting: Mass phishing campaigns can be executed quickly No crypto-specific security measures: Despite hosting numerous crypto newsletters
We reached out to Substack for comment but have not received a response at the time of publication. However, multiple newsletter operators report receiving emergency communications from Substack about “unusual email activity.”
What Substack should do immediately: Implement stricter DMARC policies (p=reject) Add warning banners for emails containing crypto-related CTAs Introduce two-factor authentication for newsletter sending Develop crypto-specific anti-phishing measures Provide security alerts to all crypto newsletter subscribers How to protect yourself from this scam Immediate actions if you received the email: Do NOT click any links in emails about $WHALE tokens Do NOT connect your wallet to any sites claiming token distributions Report the email as phishing to your email provider Alert others in your crypto communities about the scam Check your wallet permissions if you connected to any suspicious sites Verification checklist for crypto newsletters: â… Check the sender’s actual email address (not just display name) â… Verify token announcements on official Twitter/social media â… Be suspicious of unsolicited token distributions â… Never enter seed phrases or private keys online â… Use a separate email for crypto newsletters â… Enable 2FA on all crypto-related accounts Recommended security tools: Email verification: Check headers using MXToolbox URL scanning: Use VirusTotal before clicking links Wallet protection: Revoke.cash to check permissions Browser extension: MetaMask Phishing Detection DNS filtering: Use Cloudflare’s 1.1.1.1 for Families Official statement from The Big Whale
The Big Whale has issued an urgent warning to all subscribers:
“We want to be absolutely clear: The Big Whale has NOT launched any cryptocurrency or token. We have NEVER and will NEVER ask subscribers to connect wallets or provide private keys. Any email claiming otherwise is a scam.
We are aware of the sophisticated phishing campaign impersonating our newsletter and are working with cybersecurity experts and law enforcement to address this issue. We are also in urgent discussions with Substack about platform security improvements.
If you receive any suspicious emails claiming to be from us, please forward them to [email protected] immediately.”
— The Big Whale Editorial Team
Broader implications for crypto media
This attack represents a new evolution in crypto-focused phishing campaigns, specifically targeting the trust relationship between newsletters and subscribers. The implications are significant:
1. Platform vulnerability
If Substack’s infrastructure can be exploited this way, other newsletter platforms may have similar vulnerabilities. This could affect:
ConvertKit (popular with crypto educators) Mailchimp (used by many crypto projects) Ghost (increasingly popular for Web3 content) Mirror.xyz (Web3-native publishing) 2. Trust erosion
Newsletter subscribers may become more skeptical of legitimate communications, potentially impacting:
Open rates for genuine newsletters Engagement with legitimate crypto projects Overall trust in crypto media 3. Regulatory attention
This incident may accelerate regulatory scrutiny of:
Email platform security standards Crypto-related communications Platform liability for enabling scams Ongoing investigation and next steps
Our investigation continues to uncover new details about this sophisticated operation. Current leads suggest:
International coordination: The campaign appears to be run by a professional group with members in multiple countries Previous attacks: Similar tactics were used in smaller campaigns dating back to March 2025 Infrastructure: The attackers maintain at least 15 domains and multiple hosting providers Money trail: Stolen funds are being laundered through tornado.cash and other mixing services
Law enforcement agencies in France, the UK, and the Netherlands have opened investigations. Interpol has been notified due to the cross-border nature of the crimes.
How you can help: Report phishing emails to: [email protected] Submit malicious URLs to: Google Safe Browsing Share wallet addresses used by scammers to: Etherscan Document your experience: File reports with local cybercrime units
