X-based NFT phishing attack causes losses of over $691,000

A phishing attack has led to the loss of over US$691,000 following the compromise of the X (formerly Twitter) account of co-founder of decentralized blockchain Ethereum and cryptocurrency Ether, Vitalik Buterin.

The hack was discovered on September 9, following suspicious activity on Buterin’s X account. After compromising Buterin’s account, the hackers attempted to steal cryptocurrency and NFTs from those who followed the Ethereum co-founder on X, by making a post which offered a free commemorative NFT to them to “celebrate Proto-Danksharding coming to Ethereum”. Instead, this post contained a phishing link that required victims to link their blockchain wallets to the phishing site before receiving the NFT, allowing malicious actors to drain victim’s wallets.  

Buterin’s father, Dmitry Buterin, warned Vitalik’s followers that the post and link were not legitimate via a post on X which read: “Apparently Vitalik has been hacked. He is working on restoring access”.

Despite the warning, the post did lead to the victimization of some of Vitalik Buterin’s network, including Ethereum developer, Bok Khoo, who warned others not to interact with the malicious post after losing “a few” of his CryptoPunks NFTs.

WARNING! I JUST LOST A FEW PUNKS!

DON'T INTERACT! pic.twitter.com/lS4VvlHdVa

— luckytimes.eth beautifuldaytobealive.eth (@BokkyPooBah) September 9, 2023

ZackXBT posted updates regarding the attack to his X account, noting that as of September 10, $691,000 in cryptocurrency and NFTs had been stolen by the malicious actors. 

It is currently unknown how hackers gained access to Buterin’s account and whether he was the victim of a similar phishing link. It has been suggested, however, that he was the victim of a SIM-swap cyber attack. SIM-swap attacks see malicious actors take control of a victim’s phone number by porting it onto SIM card in their possession. Once they have control of the phone number, malicious actors can bypass two-factor-authentication efforts which send one-time-passcodes via SMS to the victim’s phone.

In the case of Buterin, this would allow hackers to reset his X account’s password, allowing them to log in and post the malicious link.

One of Buterin’s followers, who uses the screenname satoshi_767, criticized Buterin for being compromised in this way, saying that he “should take accountability for his poor [operational security] and compensate those affected”.  

They continued, saying: “The only way this isn’t negligence on Vitalik part is if someone at X internally compromised the account, or if he was coerced in person by a criminal who threatened violence. I highly doubt that’s what happened.”

They finished by saying they hope an investigation into the cyber attack is launched to help victims better understand how it took place. 
ZackXBT disagreed with satoshi_767’s assertions, saying: “You do not know yet whether it was a SIM swap. Vitalik is a big enough target to where an insider could have been paid off or panel was used.”

I hate to be the one to say it, but Vitalik should take accountability for his poor op-sec and compensate those affected.

I understand users have a responsibility to be wary of all links and that they ultimately connected their wallets irresponsibly; but can we blame them…

— ʞɔɐſ (@satoshi_767) September 10, 2023

ZackXBT, however, did agree that Buterin should compensate those who fell victim to the phishing link if it was confirmed that he was the victim of a SIM swap attack, as “that would be his fault for using SMS 2FA”. ZackXBT did not that he is sure that Buterin does not use these cyber security methods, and stressed that he should not be held accountable for something that was “entirely out of his control”.