ENS Founder Warns of Google Spoof That Tricks Users with Fake Subpoena

ENS Founder Sounds Alarm Over Sophisticated Google Spoof Phishing Scam

Nick Johnson, the founder and lead developer of Ethereum Name Service (ENS), has warned of an “extremely sophisticated” phishing campaign leveraging Google’s own infrastructure to impersonate legitimate security alerts and steal users’ login credentials.

In an April 16 post on X, Johnson outlined how the scam works: users receive a deceptive email that claims their Google account data is being accessed by law enforcement due to a subpoena. The message is designed to resemble an authentic Google alert, even passing DKIM (DomainKeys Identified Mail) signature checks — a key security feature used to verify the legitimacy of email content.

“It passes the DKIM signature check, and Gmail displays it without any warnings — it even puts it in the same conversation as other, legitimate security alerts,” Johnson noted.

The fake subpoena appears to be from a Google no-reply domain. Source: Nick Johnson

The phishing email includes a link that claims to let users review case materials or protest the alleged subpoena. The link directs victims to a fake support page built using Google Sites — a legitimate Google-owned tool that allows users to create and host webpages under a trusted Google subdomain.

Using Google Tools for Phishing

According to Johnson, attackers take advantage of several features within Google’s ecosystem to make the scam appear authentic. In addition to Google Sites, the attackers utilize Google OAuth apps, where they can manipulate the app name field to resemble official Google services.

The emails are also crafted using Namecheap-registered domains and sent from spoofed addresses like “no-reply@google[.]com.” Though forwarded through private email servers, they pass email security protocols, including DKIM, which allows them to appear in users’ inboxes as if from Google — even within existing threads of legitimate security emails.

A detailed report by software firm EasyDMARC released on April 11 further explains how these scams exploit a loophole in Google’s verification system to insert malicious messages into otherwise secure conversations.

Google Responds, Promises Fixes

In a statement, a Google spokesperson confirmed the tech giant is aware of the exploit and is actively rolling out countermeasures.

“We’re aware of this class of targeted attack from the threat actor, Rockfoils, and have been rolling out protections for the past week. These protections will soon be fully deployed, which will shut down this avenue for abuse,” the spokesperson said.

The fix includes closing the loophole that allows attackers to inject arbitrary text into messages while passing DKIM checks. Once deployed, this should prevent similar attacks from succeeding.

Google also reminded users that it will never request sensitive account information such as passwords, one-time passcodes, or push authentication approvals via email or phone calls.

“We encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns,” the spokesperson added.

Source: Nick Johnson

What Users Should Watch For

Although the scam appears convincing, Johnson pointed out some red flags:

The email is often forwarded by a private, non-Google email address.

The reply-to address doesn’t match official Google domains.

The support link, though hosted on a Google subdomain, contains suspicious URLs or content not typically associated with Google support.

This incident highlights the increasing sophistication of phishing attacks and the need for heightened vigilance — even when emails appear to come from trusted sources. As attackers continue to exploit legitimate platforms, users are encouraged to double-check URLs, avoid clicking unsolicited links, and enable advanced security features like 2FA and passkeys.