Contents
A scam that was perpetrated with the X (formerly Twitter) account of Vitalik Buterin, the co-founder of Ethereum, fetched nearly $700,000.
Although the account was actually locked within hours of the hack, a single post by the scammers was enough to cash in many hundreds of thousands with an NFT giveaway.
Vitalik Buterin’s account and the nearly million-dollar scam
Truth be told, Buterin is not a big social media user.
For example, before Sunday’s hack his last tweet dated as far back as 16 August, followed by a retweet on 6 September.
It is enough to say that after recovering access to his account, Buterin has not yet tweeted anything, and he has not even changed the bio edited by the scammers.
Even on his personal blog, Vitalik.ca, Buterin is not very active, with little more than one post per month.
The X account of the celebrated Ethereum co-founder has nearly five million followers, making it one of the personal crypto accounts with the most followers. For example, Michael Saylor, who is active almost every day, stands at just over three million, and the late John McAfee stood at 1.1 million.
The fact is that Buterin often communicates with another tool, Warpcast, chosen not surprisingly yesterday to report that he had recovered his account on X.
Warpcast is a client for Farcaster, a decentralized protocol that supports several dApps. Specifically, Warpcast is a Farcaster dApp with which a decentralized social network similar to Twitter has been created.
The hack
According to Buterin’s statement on Warpcast, the scammers were able to get into his X account through a SIM swap attack.
In other words, they managed to get hold of a clone of his cell phone’s SIM card, and with that they were able to use the mobile password recovery process to gain access.
Indeed, Vitalik complained about both having to provide X with a phone number and then leaving it active.
However, it is not known how the hackers got to know his phone number, and how they managed to recover a clone of his SIM card.
It is worth pointing out that these kinds of attacks are increasingly common, and apparently the only solution is to disable SMS recovery of the account password, or disable the phone number on the account altogether.
The scam via Vitalik Buterin’s account
Once access to Buterin’s X profile was recovered, the scammers simply posted a single tweet.
WARNING! I JUST LOST A FEW PUNKS!
DON'T INTERACT! pic.twitter.com/lS4VvlHdVa
— luckytimes.eth beautifuldaytobealive.eth (@BokkyPooBah) September 9, 2023
The tweet obviously appeared to have been posted by Buterin himself, which is why many people fell for it.
In that tweet Buterin practically explicitly recommended requesting a specific NFT as a gift.
The fact that it was an illegitimate tweet could be guessed both because Buterin very rarely promotes NFTs (he probably never did), and because an anomalous entry appeared in the account bio that traced back to a newly created token.
In other words, it was quite obvious that this was an attempted scam, but many people fell for it anyway.
The spoils
The malicious tweet contained a link that was described as the one to the site from which free NFTs could be withdrawn.
Once that link was clicked, a procedure was started that led the scammers to also seize access to the wallets of the unfortunate people.
According to some estimates in total about $691,000 were stolen in this way.
Update: $691k drained (another 33% in drainer fee address) pic.twitter.com/AVIShqDlMU
— ZachXBT (@zachxbt) September 9, 2023
In particular, some CryptoPunk NFTs were stolen.