Hackers breached LEGO's website, promoting a fake crypto coin scam. Learn how the attack unfolded and what it means
A sophisticated cyberattack rocked the official LEGO website, exposing the popular global brand to a high-stakes cryptocurrency scam. Hackers briefly seized control of the platform, promoting a fraudulent LEGO Coin that could be purchased with Ethereum.
The event, which lasted 75 minutes, sent shockwaves through the cybersecurity world, raising eyebrows not only for its bold execution but also for the odd choice of targeting one of the world’s most trusted family-friendly brands.
At approximately 9 PM EST, unsuspecting visitors to LEGO.com were greeted by a modified main banner promoting a new "LEGO Coin." This wasn't just any harmless image. The hackers crafted a seemingly legitimate ad, complete with the LEGO logo and promises of “secret rewards” for those who purchased the token.
The banner read:
"Our new LEGO Coin is officially out! Buy the new LEGO Coin today and unlock secret rewards!"
For 75 minutes, this fraudulent campaign persisted, redirecting users to the Uniswap cryptocurrency platform. Here, the fake LEGO token could be purchased using Ethereum, luring in cryptocurrency enthusiasts and LEGO fans alike.
However, unlike many traditional cryptocurrency scams, this breach did not utilize a crypto drainer to immediately steal funds from connected wallets. Instead, the focus was on selling fake tokens. By 10:15 PM EST, LEGO’s web administrators regained control, removing the malicious banner and restoring normal operations.
While the damage from the attack was limited, LEGO quickly moved to reassure customers. In a statement to SecureBlink Threat Researchers, LEGO confirmed the breach but kept the details on how hackers managed to access their system under wraps:
"On 5 October 2024, an unauthorized banner briefly appeared on LEGO.com. It was quickly removed, and the issue has been resolved. No user accounts have been compromised, and customers can continue shopping as usual. The cause has been identified, and we are implementing measures to prevent this from happening again."
The company’s swift response helped alleviate customer fears, and they emphasized that no user accounts or personal information were compromised during the attack.
This attack left cybersecurity experts perplexed. Why LEGO? For such a high-profile brand with a vast, loyal customer base, many expected a more malicious payload. Hackers commonly exploit website breaches to:
Inject malicious JavaScript to steal customer information (such as credit card data).
Use the breach as a vector for data extortion.
Sell stolen data on darknet marketplaces.
But in this case, the focus was a low-effort cryptocurrency scam, with only a handful of people purchasing the fake LEGO tokens, amounting to a few hundred dollars in revenue for the attackers. For the access they had, the scam’s execution and profit were both notably underwhelming.
This incident serves as a stark reminder of the vulnerabilities high-profile websites face, especially in an era where cryptocurrency scams are becoming increasingly rampant. Unlike the traditional methods of stealing customer data or injecting malware, this hack showcased a growing trend of brand exploitation through direct crypto schemes.
In recent years, phishing campaigns and supply chain attacks have given hackers a pathway to even the most secure websites. Once inside, the attackers can exploit a brand's reputation to give credibility to their scams—precisely what happened with LEGO.
While this attack on LEGO.com may not have resulted in massive financial damage or data loss, it highlights several key concerns:
No site is immune to attacks, no matter how robust its security protocols.
Brand reputation can be a powerful weapon in the hands of cybercriminals.
Cryptocurrency scams are evolving and using more creative methods to capture unsuspecting victims.
Companies must not only guard against data theft but also brand hijacking in the crypto space.